See also: IRC log
<trackbot> Date: 08 February 2012
<npdoty> if you just called in and you're on IRC, please tell Zakim which letter combination you are, thx
<npdoty> scribenick: jchester2
Aleecia: this call and next call focused on compliance, and we will use to oublish second working draft.
<tl> Aleecia, every so often, you become quiet for a second or two.
First day of Brussels minutes is up
<jmayer> Procedure Q: Was there any further discussion of moving the weekly call time?
<johnsimpson> on call?
We are looking to fix dates for April meeting, people should do doodle poll
we need to keep this as regular time for now for conf call
<tl> Aleecia, I'm still hearing you become quiet for a second or two every so often. Am I the only one?
<jmayer> Thanks. Then for at least the next month, I won't be able to make more than the first half hour.
<johnsimpson> i am hearing you fine
are people having troible hearing Aleecia and indicate in IRC
we are looking at closing orphan issues. [help!]
<trackbot> ACTION-1 -- Aleecia McDonald to look at summary of DNT definition/compliance proposals -- due 2012-02-03 -- OPEN
<npdoty> heather and aleecia were going to work on that, but haven't had time, don't see it happening any time soon
<npdoty> anyone interested in taking this one on?
Action 1--Aleecia closing out item on summary different DNT definitions across documents.
<trackbot> Sorry, couldn't find user - 1--Aleecia
<hwest> No objection to closing it - would be useful, but zero chance I can do it
<WileyS> Would it be possible simply list links to existing documents somewhere? We can all pitch in on that task.
<WileyS> possible "to" simply...
<hwest> There's a list of input docs on the W3C site - I think that's a good start
Rigo is going to look into action and asked that decision to close action by deferred by one week.
<npdoty> +1 to WileyS on aggregating links
Rigo is now responsible for that issue and we will distribute info as suggested by Shane
<trackbot> ACTION-68 -- Justin Brookman to provide text on ISSUE-54 -- due 2012-02-01 -- OPEN
<enewland> he's not
67, 68, 109 are being discussed on list.
<enewland> he has a webinar
<npdoty> i think ksmith has actually sent out his proposal
Action 80, David Singer says connected to Action 99 and has draft in to Nick and will be distributed to others.
<trackbot> ACTION-80 -- David Singer to singer and shane wiley to determine whether dave singer's paradigm on parties would be a solution for Issue 27 -- due 2012-02-01 -- OPEN
<trackbot> ACTION-99 -- David Singer to write up automated discoverability of party relationships proposal (Nick and Bryan to help) -- due 2012-02-02 -- OPEN
<trackbot> Sorry, couldn't find user - 80,
<trackbot> ACTION-91 -- Andy Zeigler to write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty -- due 2012-02-07 -- OPEN
Action 91, Andy to write text on finger printing issue. Tom, Sid, Nick and Andy close to send out text proposal
<trackbot> Sorry, couldn't find user - 91,
<npdoty> andyzei: very close to sending out a text proposal, hopefully today
Action 92, Alan Chappel. Issue 113, Alan: We are letting issue close
<trackbot> Sorry, couldn't find user - 92,
<aleecia> also having trouble hearing
<WileyS> Why couldn't we leverage the existing site-specific exception process for web-wide exceptions - they would simply list a single domain versus a domain pair.
Issue 113. JeffChester also having trouble hearing
<npdoty> I think the suggestion is that user agents may be able to implement this without our writing it into the spec
<npdoty> WileyS, are you volunteering to write up that change?
<jmayer> Have we decided that there will be web-wide exceptions?
Shane: We can leverage specific site exemption structure for worldwide exemption structure. We need to discuss how will worldwide exemption process be presented to a user
<WileyS> Nick - will you lead?
<laurengelman> is this like an exemption for "discus" or "twitter" button
<WileyS> Okay - I'll lead then.
Nick will write counterproposal but will help Shane
<jmayer> E.g. ("yahoo.com", "*")
<aleecia> I think we have two action items out of this: one on Shane to revise non-norm text with Nick's help, and one to still address issue-113 head on
<laurengelman> exemptions for 3rd parties?
<laurengelman> google ads?
Shane: We still need to discuss whether group supports worldwide exceptions
<vincent_> jmayer, it'd be more something like (*, "yahoo.com") I think
<npdoty> ACTION: Wiley to write a proposal on web-wide exception API (for ISSUE-113) (with npdoty) [recorded in http://www.w3.org/2012/02/08-dnt-minutes.html#action01]
<trackbot> Created ACTION-120 - Write a proposal on web-wide exception API (for ISSUE-113) (with npdoty) [on Shane Wiley - due 2012-02-15].
<dsinger> goodness yes. embedded widgets, a trusted advertiser
<jmayer> vincent, just wanted to show that the syntax is trivial
<jmayer> (If we decide to allow such exceptions.)
Aleecia: There is interest from Europe on the exemption issues.
<vincent_> oh ok, sorry
<WileyS> Agreed with Tom - that was my "non-normative" element of text I refered to and will provide draft text for this.
<npdoty> tl: user agents can handle this; can use a UI or permission structure like seen in some geolocation implementations
<rigo> I think the exemption issue is also connected to the make and record consent issue (opt-back in)
Aleecia: Who wants to take Issue 113 as it stands?
<laurengelman> i agree that it sounds like something that can be so technically trivial that users will have no idea what they opted into. especially with a broad definition of "party"
Nick: Text that we will send it will address Javascriot API and it will include issue 113
sorry about typos!
<tl> npdoty: andyzei, do we have a marked action item for this?
<npdoty> and I'll be sure to note the connection to issue-113 when we send out text related to action 91
<trackbot> ACTION-93 -- Jeffrey Chester to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim -- due 2012-02-07 -- OPEN
Action 93, Best Practices: Jeff will send after the call
<trackbot> Sorry, couldn't find user - 93,
<trackbot> ACTION-106 -- Heather West to sharing of data between entities via cookie syncing / identity brokering, with Vincent Toubiana -- due 2012-02-02 -- OPEN
<npdoty> vincent_, didn't you just send this out today?
<npdoty> close action-106
<trackbot> ACTION-106 Sharing of data between entities via cookie syncing / identity brokering, with Vincent Toubiana closed
Action 106. Orphan action to be closed. Sharing data between entities via cookie syncing. Heather wants to discuss whether it should be in spec or is covered by other items.
<trackbot> Sorry, couldn't find user - 106.
<npdoty> action-106 pending review
<trackbot> ACTION-107 -- Peter Eckersley to peter & MeMe, Draft text on Will Do Not Track apply to offline aggregating or selling of data? -- issue 30 -- due 2012-02-02 -- OPEN
<npdoty> pde? meme?
<scribe> ACTION: 107 to Does DNT apply to Issue 30, apply to offline data gathering. Mimi interested in reviewing text but not draft. Tom says current draft doesn't make distinction between sharing off and online. It seems this is covered. [recorded in http://www.w3.org/2012/02/08-dnt-minutes.html#action02]
<trackbot> Sorry, couldn't find user - 107
<npdoty> tl: seems like issue-30 is already covered
Amy can draft something on Action 107.
<npdoty> andyzei, is adrian here?
Action 109, Adrian. Drafting text Issue 54. This is being discussed on mailing list now.
<trackbot> Sorry, couldn't find user - 109,
<trackbot> ACTION-116 -- Thomas Lowenthal to draft text prohibitng third parties from acting or representing themselves as first parties -- due 2012-02-15 -- OPEN
Tom, Action 116. Working on issue.
Tom gets one more week for Action 116
<npdoty> aleecia: for next call, we'll try to sit down with a draft to see where we can live with things to publish another public draft
Aleecia: Next call we will be sitting done with draft to discuss what we can live with
<trackbot> ISSUE-57 -- What if an opt-out cookie exists but an "opt back in" out-of-band is present? -- raised
Issue 57, Text from Shane if you have mixed messages
Aleecia suggests we change text: honors DNT, not honors DNT
<WileyS> I'm fine with that change - this was a cut/paste from an early submission
<npdoty> Opt-Out / DNT Exception: Exception is honored (browser/device is not opted-out)
<rigo> conflict between DNT header and opt-out cookie
<rigo> DNT=0 set and opt-out cookie sent back
Nick has concern that if there is both opt-out cookue and DNT exemption, how we address
<rigo> in this case, browser should see this as opt-in
<aleecia> DNT Signal / No Opt-Out: Browser/device is opted-out
<aleecia> Opt-Out / DNT Exception: Exception is honored (browser/device is not opted-out)
<aleecia> Shane once again understands both people speaking, even without drop outs
<aleecia> So is the general rule: the specific trumps the general?
Shane--we always go to privacy conservative side, but in 4th case when we receive site specific exemption would override a passive or cookie based setting elsewhere. A explicit consent event.
<fielding> basically, a specific conset overrides a general opt-out
<johnsimpson> Does DNT Exception equal DNT:0
<rigo> +1 to fielding
<WileyS> I'm sorry Nick - I didn't really follow that example
<rigo> consent always trumps whatever
Nick will write something up on this issue
<WileyS> Yes - I'll rewrite
<WileyS> Please assign new action item :-)
<npdoty> ACTION: Shane to re-write language on issue-57 proposal to avoid "opt out" language [recorded in http://www.w3.org/2012/02/08-dnt-minutes.html#action03]
<trackbot> Created ACTION-121 - Re-write language on issue-57 proposal to avoid "opt out" language [on Shane Wiley - due 2012-02-15].
<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review
Issue 25: Possible exemption for research purposes, w/text in
<aleecia> ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? notes added
<aleecia> This standard provides general requirements on data collection, use, and disclosure. These requirements are not specific to behavioral advertising. (Note: this text may be better placed in the preamble.)
<trackbot> ISSUE-36 -- Should DNT opt-outs distinguish between behavioral targeting and other personalization? -- raised
We are close on Issue 36
<tl> I just want to put it in the preamble.
<WileyS> I still owe Tom a response on finding the exact preamble location
<fielding> which text?
Issue 36 is closed
<rigo> I'm in favor of not having it specific as dnt can be a general consent mechanism for personalization
<tl> It's still possible that this may be merged in more elegantly in the final editing pass.
<npdoty> issue-36 closed
<trackbot> ISSUE-36 Should DNT opt-outs distinguish between behavioral targeting and other personalization? closed
<npdoty> resolution: don't need to distinguish between behavioral advertising and other personalization
<trackbot> ISSUE-74 -- Are surveys out of scope? -- raised
<npdoty> can Kathy or Alex explain this?
Issue 74. Are surveys out of scope. Nothing special about surveys, re: our research discussion. Issue is closed.
<johnsimpson> +1 to close 74
<npdoty> okay, great
<aleecia> For the EU, the outsourcing scenario is clearly regulated. In the current EU
<aleecia> Directive 95/46/EC, but also in the suggested regulation reforming the data
<aleecia> protection regime, an entity using or processing data is subject to data
<aleecia> protection law. An entity acting as a first party and contracting services of
<aleecia> another party is responsible for the overall processing. If the third party
<aleecia> has own rights and privileges concerning the processing of the data collected
<aleecia> by the first party, it isn't a data processor anymore and thus not covered by
Action 48 [against Issue 10 via Rigo]
<trackbot> Sorry, couldn't find user - 48
<aleecia> exemptions. This third party is then considered as a second data controller
<aleecia> with all duties attached to that status. As the pretensions of users are based
<aleecia> on law, they apply to first and third party alike unless the third party acts
<aleecia> as a mere data processor.
Rigo: This would require additional contractual information between third and first parties.
<tl> dsinger: An unexpected joy for all of us. =]
<aleecia> A party MAY take action contrary to the requirements of this standard if compelled by applicable law. If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exception or exemption, the party SHOULD notify affected users to the extent practical and allowed by law.
Mandatory legal process via Justin and his modification's to Jonathan's text. Should the final text include a "must"
<tl> *Or*, we could just see which group can yell their preferred word luder, right now in the call?
<WileyS> T1 :-)
Rigo: The relation between law and the standards of W3C. W3C is just the tool-maker and will be a tool in various legal frameworks. We over-estimate the normative of W3C standards
<WileyS> Agree with Rigo - in place where the law requires disclosure we're already doing this.
<tl> Sadly, only Shane would be able to tell who was yelling louder, because he's the only person who can hear everyone. =p
<WileyS> And therefore I win by default - love it.
Nick: Can a party using a contract as compelled by law--do we have language
<tl> WileyS: And that's why we're against just yelling into the void.
<fielding> law != contracts
<laurengelman> well, you can just explicitly say it does not
<rigo> Shane, disclosure is rather a P3P-like topic (and Dave has suggested to use the vocab and throw away the protocol, which is really interesting suggestion)
Tom: We need to provide guidance in the document, and loss to users that sites can claim contract to undermine DNT intent
<WileyS> Where companies are legally compelled to disclose, we do. The attempt to add further burdens for required disclosures is inappropriate and therefore the request for SHOULD instead of MUST.
Roy: Contracts can't violate law by definition.
Rigo: We should write some explanatory text
<aleecia> the question wasn't if contracts trump law, it was if someone might claim contracts are sufficient to compel them
<tl> fielding, I think what we mean is that a company would be "compelled by law" if they wrote a contract with someone else, because it would be legally prohibited to violate that contract.
<fielding> tl, actually, no, it would just break the contract -- contracts are not compelled by law
<rigo> roy, contracts can break law, say having a contract to rob a bank
Lauren: If they say they are DNT compliant, they can't use contracts to undermine compliance position.
<fielding> tl, failure to adhere to a contract may include required remedies, but those remedies are by contract or judicial imposition (not laws)
<rigo> in the EU you need consent. DNT is a mechanism
<tl> fielding: Breach of contract is legally prohibited, now?
<fielding> rigo: in the US, contacts that contain illegal activity are null and void
Aleecia proposes that we take starting pt text from Justin; add a sentence on compelled by applicable law doesn't mean contract; and address should vs. must
<rigo> in the US you make a promise. If you not adhere to it, you deceive the user
<npdoty> aleecia: take Justin's text, add a sentence about contracts not compelling, note that SHOULD/MUST is still open
Amy: Can the text she and Shane drafted make it into draft?
<npdoty> amyc, is there a difference besides the SHOULD/MUST disclosure question?
<rigo> WileyS, URI for Dave's paper for disclosures: http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/
<rigo> again, just tooling
<trackbot> ACTION-84 -- Shane Wiley to wiley to describe the reason for setting DNT=null -- due 2012-02-01 -- PENDINGREVIEW
Action 84, via Shane, discuss DNT to null. If there are user agents that don't support DNT and have them send back null. From Shane: Use case, companies will want to support DNT site specific exemptions when they can.
<trackbot> Sorry, couldn't find user - 84,
<amyc> Issue 28 proposed text: this standard is not intended to override applicable local, state, or country law.
<WileyS> Maybe its a SHOULD instead of a MUST then
<JC> That sounds odd since UAs support DNT today but cannont send DNT:Null
<fielding> tl: not that I am aware of -- contracts are an agreement between parties -- breach may result in civil action or required remedies that have nothing to do with laws per se. Laws are the rules that governments pass to define what is legal or illegal activity and how decisions are made for the public good. The process by which civil actions are resolved is certainly imposed by law. So, contracts are not compelled by law, though resolution of disputes might be.
Shane: We need text so issue is addressed
<WileyS> SHOULD not MAY :-)
<WileyS> But not MUST - agree
<WileyS> That's why I said SHOULD, not MUST
Nick: Hard to convince user agents for a feature that users haven't turned on.
Roy: We need volunteers to write text for TPE spec.
Nick volunteers to do first draft
<johnsimpson> still having trouble understanding the use case...
<npdoty> ACTION: doty to draft possible use of site-specific exception API to test existence of DNT / ask for exceptions even without DNT turned on [recorded in http://www.w3.org/2012/02/08-dnt-minutes.html#action04]
<trackbot> Created ACTION-122 - Draft possible use of site-specific exception API to test existence of DNT / ask for exceptions even without DNT turned on [on Nick Doty - due 2012-02-15].
Amy has placed text in IRC
<WileyS> John - I can ask a user today to give Yahoo! out-of-band to track for a particular widget. Rather than continue to support out of band persmissions, where appropriate it would be great to be able to leverage DNT supported mechanisms if they exist. The issue is being able to see a browser supports DNT prior to a user first setting DNT:1. That's what the request is for - as a SHOULD, not a MUST.
<WileyS> "...give out-of-band 'permission' to..."
<trackbot> ACTION-65 -- Thomas Lowenthal to propose clarification on ISSUE-39 -- due 2012-02-03 -- PENDINGREVIEW
Action 65, Tracking of Geographic Data
<trackbot> Sorry, couldn't find user - 65,
Aleecia: They way we have DNT now, impacts geo-IP look-up
<npdoty> aleecia: had thought there was a concern that ZIP+4 was too much (actually from Jules?)
<WileyS> I thought we had draft text for this now?
<npdoty> ... but also the position that geo IP targeting wasn't tracking
Aleecia wants to place in doc. options on geo-location
<WileyS> Okay - I didn't see the strong disagreement
<npdoty> I liked the idea of a "contextual" exception
I think this requires key focus for next week on geo-targeting
<aleecia> Tom's original text: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0081.html
Shane: no way to get to zip+4 without user consent today
<aleecia> which is after Shane's proposal that we not address it at all
<johnsimpson> should an international standard have a reference to Zip code?
<fielding> outsourcing constraints are the same as for other cases, I think
<aleecia> disagreement from DavidW: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0115.html
<npdoty> I think there's a concern that IP geolocation is or may be increasing in precision
<aleecia> If we have more agreement than I thought, bonus
<WileyS> I didn't catch all of that but in general I'm supportive of the text in the email chain
Jeff Chester asked that we focus on geo-location for next week;s call
<aleecia> and from Justin: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0170.html
<aleecia> Rigo, we do have text
<WileyS> Let's address it as hyper-percise vs. generally accurate
Nick suggests we could speak to invasiveness or potential of geo-location info.
<fielding> If the geolocation information is essential to use of a site, as in most mobile contextual offer sites, then consent is generally collected once and DNT is ignored. Right?
<aleecia> DMA is good enough for most business cases
<aleecia> or general zip level
<aleecia> 100,000 or so people living there
<aleecia> consent needed for more precision
<npdoty> do we want to use "precise" or "hyper-precise" and then reference some existing document that defines it?
<hwest> Most of those are nowhere near precise location
<WileyS> Please speak to Apple :-) We're not alwasy in control.
<laurengelman> have to hop.
<npdoty> johnsimpson: we keep referring to Zip, Zip+4, but doesn't this need to apply internationally?
<WileyS> Agreed - that's why we're moving to "hyper-percise"
John Simpson says that language using zip +4 not approp, given international use of location
Rigo: Zip or postal codes are international
<aleecia> zip code or locally appropriate analog? would that work?
<npdoty> rigo: in p3p, checked on internationalization, using postal codes seemed okay
Rigo: Once we are in last call, we will have internalization discuss then
Aleecia: We will incorp. Tom's existing text into draft and have that as the discussion. Gets us to good snapshot
<fielding> postal codes: Universal Postal Union, “International Postal Address Components and Templates,” UPU S42-1, November 2002.
<npdoty> who will take the action to integrate the text? can one of the editors volunteer for that?
Tom: Says its good plan and our language is focued on guidance in level of accuracy
<aleecia> next steps: add Tom's text to the draft
<rigo> Roy, what people do not realize is that the country on the letter MUST be written in french according to the treaty
<WileyS> With a statement that explicit user consent trumps DNT (out of band permission at this time)
<hwest> Tom, can you email that language to me directly?
<rigo> consent trumps everything, much to the dismay of some privacy advocates
We will need text to ensure that explicit consent fairly obtained--which is not case today
<fielding> rigo, no problem -- we just redefine French ;-)
<hwest> And anyone else who doesn't see their text in the draft over the next few days, email@example.com
Aleecia: We will publish text in short order. Adjourn
<WileyS> Thank you for scribing Jeff!
<enewland> thanks aleecia
<npdoty> trackbot, bye