15:49:04 RRSAgent has joined #dnt 15:49:04 logging to http://www.w3.org/2012/03/14-dnt-irc 15:49:15 Zakim has joined #dnt 15:49:26 Zakim, this will be dnt 15:49:26 ok, aleecia; I see T&S_Track(dnt)12:00PM scheduled to start in 11 minutes 15:49:36 chair: schunter 15:49:48 rrsagent, make logs public 15:50:17 mischat has joined #dnt 15:51:23 T&S_Track(dnt)12:00PM has now started 15:51:30 tl has joined #dnt 15:51:30 +??P8 15:51:54 +[Mozilla] 15:52:03 Zakim, Mozilla has tl 15:52:03 +tl; got it 15:52:33 Zakim, who is on the phone? 15:52:33 On the phone I see ??P8, [Mozilla] 15:52:34 [Mozilla] has tl 15:52:55 Zakim, ??P8 is schunter 15:52:55 +schunter; got it 15:53:12 +aleecia 15:53:31 agenda+ Selection of scribe 15:53:40 dsriedel has joined #dnt 15:53:53 agenda+ Any comments on minutes: http://www.w3.org/2012/03/07-dnt-minutes 15:54:14 agenda+ Review of overdue action items: https://www.w3.org/2011/tracking-protection/track/actions/overdue 15:54:35 schunter has joined #dnt 15:54:37 agenda+ ISSUE-111: Signaling status and existence of site-specific exceptions http://www.w3.org/2011/tracking-protection/track/issues/111 15:54:39 + +2191374aaaa 15:54:51 agenda+ Responses: Header & URI 15:54:58 zakim, aaaa is dsriedel 15:54:58 +dsriedel; got it 15:55:02 zakim, mute me 15:55:02 dsriedel should now be muted 15:55:07 agenda+ Creation of new actions for TPE 15:55:19 agenda+ Announce next meeting & adjourn 15:55:45 Zakim, who is on the phone? 15:55:45 On the phone I see schunter (muted), [Mozilla], aleecia, dsriedel (muted) 15:55:47 [Mozilla] has tl 15:56:16 +rvaneijk 15:57:17 dsinger_ has joined #dnt 15:57:32 aleecia, Do you know how Zakim does and doesn't remember which numbers belong to which people? Presumably, that's something I should ask Nick? 15:57:58 + +1.415.520.aabb 15:58:11 jmayer has joined #dnt 15:58:13 +dsinger 15:58:13 KevinT has joined #dnt 15:58:13 dsinger_ has joined #dnt 15:58:20 zakim, mute dsinger 15:58:20 dsinger should now be muted 15:58:22 Nick is your official person to ask. Thomas knows details fairly well. David Singer has some clue here too. 15:58:34 + +1.646.654.aacc 15:58:38 + +1.202.684.aadd 15:58:47 Zakim, aadd is jmayer 15:58:47 +jmayer; got it 15:58:49 sidstamm has joined #dnt 15:58:51 zakim, mute me 15:58:51 schunter should now be muted 15:59:05 jchester2 has joined #dnt 15:59:20 ifette has joined #dnt 16:00:04 +[Mozilla.a] 16:00:11 eberkower has joined #dnt 16:00:11 Zakim, Mozilla.a has sidstamm 16:00:11 +sidstamm; got it 16:00:20 vinay has joined #dnt 16:00:25 aleecia, If only there were more of that to go around... =[ 16:00:28 David - Tom was asking about the Zakim db on phone numbers and how that works. As I recall you have some clue here? 16:00:31 ninjamarnau has joined #dnt 16:00:41 + +1.650.253.aaee 16:00:45 Zakim, unmute me 16:00:45 schunter should no longer be muted 16:00:45 zakim, aaee is ifette 16:00:46 +ifette; got it 16:00:54 efelten has joined #dnt 16:01:02 + +1.917.934.aaff 16:01:15 good morning, Ian 16:01:18 + +1.510.501.aagg 16:01:20 zakim, who is here? 16:01:20 On the phone I see schunter, [Mozilla], aleecia, dsriedel (muted), rvaneijk, +1.415.520.aabb, dsinger (muted), +1.646.654.aacc, jmayer, [Mozilla.a], ifette, +1.917.934.aaff, 16:01:23 gm, aleecia! 16:01:24 ... +1.510.501.aagg 16:01:24 [Mozilla.a] has sidstamm 16:01:24 [Mozilla] has tl 16:01:24 On IRC I see efelten, ninjamarnau, vinay, eberkower, ifette, jchester2, sidstamm, dsinger_, KevinT, jmayer, schunter, dsriedel, tl, Zakim, RRSAgent, rvaneijk, aleecia, tlr, 16:01:27 ... trackbot, hober, wseltzer, pde 16:01:31 + +1.202.326.aahh 16:01:39 +WileyS 16:01:45 WileyS has joined #DNT 16:01:45 + +1.206.658.aaii 16:01:50 fielding has joined #dnt 16:01:58 + +49.431.98.aajj 16:01:59 + +1.202.326.aakk 16:02:03 pedermagee has joined #dnt 16:02:08 Zakim, aakk is me 16:02:11 +efelten; got it 16:02:20 Zakim, aajj is ninjamarnau 16:02:20 +ninjamarnau; got it 16:02:24 schunter: congrats on shipping, now we go back to open issues. 16:02:39 … topic today is TPE, want to discuss open issues and assign actions 16:03:01 zakim, who is on the phone? 16:03:02 On the phone I see schunter, [Mozilla], aleecia, dsriedel (muted), rvaneijk, +1.415.520.aabb, dsinger (muted), +1.646.654.aacc, jmayer, [Mozilla.a], ifette, +1.917.934.aaff, 16:03:02 ... +1.510.501.aagg, +1.202.326.aahh, WileyS, +1.206.658.aaii, ninjamarnau, efelten 16:03:02 next agendum 16:03:02 [Mozilla.a] has sidstamm 16:03:04 [Mozilla] has tl 16:03:16 +fielding 16:03:25 (I can scribe if Wendy will backstop?) 16:03:28 I can do first part of meeting only 16:03:28 Zakim, who is on the phone? 16:03:29 On the phone I see schunter, [Mozilla], aleecia, dsriedel (muted), rvaneijk, +1.415.520.aabb, dsinger (muted), +1.646.654.aacc, jmayer, [Mozilla.a], ifette, +1.917.934.aaff, 16:03:31 ... +1.510.501.aagg, +1.202.326.aahh, WileyS, +1.206.658.aaii, ninjamarnau, efelten, fielding 16:03:34 [Mozilla.a] has sidstamm 16:03:35 [Mozilla] has tl 16:03:41 + +1.813.907.aall 16:03:55 alex_ has joined #dnt 16:04:06 + +1.206.369.aamm 16:04:08 aleecia, sorry, I'm at ICANN, so only on irc and unable to scribe 16:04:13 +??P74 16:04:14 scribe: KevinT 16:04:17 hefferjr has joined #dnt 16:04:25 tedleung has joined #dnt 16:04:27 close agendum 1 16:04:28 + +1.202.496.aann 16:04:28 is there a link to the minutes to comment on> 16:04:33 great :) 16:04:33 minutes approved 16:04:35 +??P77 16:04:36 close agendum 2 16:04:38 :-) 16:04:41 laurengelman has joined #dnt 16:04:42 vincent has joined #dnt 16:04:46 + +1.617.733.aaoo 16:04:57 +alex 16:05:10 starting overdue action items 16:05:15 npdoty has joined #dnt 16:05:49 Karl is unlikely to get to this. Why don't we send email and see if he's still interested. 16:05:54 Action 26: Karl - not present 16:05:54 Sorry, couldn't find user - 26 16:05:57 If not, we can ask if anyone else wishes to take it up 16:06:02 Action 47: Jonathan related to 49 16:06:02 Sorry, couldn't find user - 47 16:06:04 ac has joined #dnt 16:06:22 Action-79? 16:06:22 ACTION-79 -- Karl Dubost to dubost to validate whether TPE lists can be use to store opt-back-in features or not -- due 2012-02-10 -- OPEN 16:06:22 http://www.w3.org/2011/tracking-protection/track/actions/79 16:06:23 jonathan drafting in a couple hours 16:06:43 +npdoty 16:06:49 +[Microsoft] 16:07:00 Let's ping Karl please. 16:07:13 If Karl is not going to take it up, let's see if someone else is interested in doing so. 16:07:26 Andy is a good candidate. 16:07:32 + +1.202.744.aapp 16:07:37 Amy to work with Andy on action-79 to get status (Matthias to close it) and re-open if necessary 16:07:40 chapell has joined #DNT 16:07:40 action-93? 16:07:40 ACTION-93 -- Jeffrey Chester to write suggestions for best practices for issue-115, assisted by Ninja, Alan, Jim -- due 2012-02-29 -- OPEN 16:07:40 http://www.w3.org/2011/tracking-protection/track/actions/93 16:07:49 ChrisPedigoOPA has joined #dnt 16:08:08 I am on EU privacy call for the event next Monday. It's running late and I will join soon. 16:08:15 thanks, Jeff 16:08:22 cOlsen has joined #dnt 16:08:30 Ninja: in review - Matthias to send Jeff reminder 16:08:37 action-104? 16:08:37 ACTION-104 -- Peter Eckersley to draft text for issue-24 -- due 2012-02-09 -- OPEN 16:08:37 http://www.w3.org/2011/tracking-protection/track/actions/104 16:08:39 + +1.646.666.aaqq 16:08:39 issue-24? 16:08:40 ISSUE-24 -- Possible exemption for fraud detection and defense -- open 16:08:40 http://www.w3.org/2011/tracking-protection/track/issues/24 16:08:45 Amy, can you take point on this one? 16:08:52 + +1.202.326.aarr 16:09:00 johnsimpson has joined #dnt 16:09:16 Disagree 16:09:21 + +1.202.587.aass 16:09:23 does anyone else want to take on this action? 16:09:43 There's 125 emails on that issue, /someone/ needs to do text for that issue 16:10:07 apoogies just joining what issue? 16:10:19 Amy to take ownership to check with Peter on this issue. 16:10:20 issue-24? 16:10:20 24 16:10:20 ISSUE-24 -- Possible exemption for fraud detection and defense -- open 16:10:20 http://www.w3.org/2011/tracking-protection/track/issues/24 16:10:22 We have draft text for security discovery and defense operational purpose exceptions 16:10:46 Action-104? 16:10:46 ACTION-104 -- Peter Eckersley to draft text for issue-24 -- due 2012-02-09 -- OPEN 16:10:46 http://www.w3.org/2011/tracking-protection/track/actions/104 16:10:47 aleecia, are you talking about action-104 (security) or action-107 (offline data)? 16:10:48 WileyS, That's you, Amy and pde? 16:10:59 Correct 16:11:05 =] 16:11:23 isn't this issue 24? 16:11:24 JC has joined #DNT 16:11:25 Amy to take ownership for 104 and 107 16:11:25 +johnsimpson 16:11:35 Yes - Action 104 is linked to Issue 24 16:11:36 action-109? 16:11:37 ACTION-109 -- Adrian Bateman to draft text for issue-54: Can first party provide targeting based on registration information even while sending DNT -- due 2012-02-13 -- OPEN 16:11:37 http://www.w3.org/2011/tracking-protection/track/actions/109 16:12:08 Adrian send proposal, move to pending review 16:12:11 right? logged-in state? we had a proposal there? 16:12:37 tl: Action-137 should also move to pending review 16:12:51 action-120? 16:12:51 ACTION-120 -- Alexandros Deliyannis to write a proposal on web-wide exception API (for ISSUE-113) (with npdoty) -- due 2012-03-07 -- OPEN 16:12:51 http://www.w3.org/2011/tracking-protection/track/actions/120 16:12:51 zakim, mute me 16:12:51 aleecia should now be muted 16:12:59 Nick, I made the argument to dropping Logged-in State exceptions via the public email list yesterday 16:13:21 Alex, it's 111 16:13:24 thanks for issue-24 texts, Jonathan. 16:13:27 +jchester2 16:13:35 alex_: waiting on discussion from action-111, will submit next week 16:13:50 action-123? 16:13:50 ACTION-123 -- Jeffrey Chester to draft a response to 1st/3rd proposal (with Lauren) -- due 2012-02-29 -- OPEN 16:13:50 http://www.w3.org/2011/tracking-protection/track/actions/123 16:13:51 great, thanks, WileyS; and can you confirm that it's in response to action-109? 16:13:55 https://www.w3.org/2011/tracking-protection/track/actions/123 16:14:08 Are you still working on it? 16:14:09 jchester: no progress, needs one more week 16:14:18 action-130? 16:14:19 ACTION-130 -- Matthias Schunter to collect use-cases for URI vs Response header -- due 2012-02-29 -- OPEN 16:14:19 http://www.w3.org/2011/tracking-protection/track/actions/130 16:14:28 kj has joined #dnt 16:14:46 Nick, correct, Action 109 16:15:01 that one's fine to close 16:15:01 tl: defunct, will be discussed in Agenda 5 today 16:15:10 has been overtaken by events 16:15:13 action-133? 16:15:13 ACTION-133 -- Matthias Schunter to collect comparison criteria and summarize comparison in URIvsHeaders table -- due 2012-02-29 -- OPEN 16:15:13 http://www.w3.org/2011/tracking-protection/track/actions/133 16:15:36 +1 16:15:37 can we add the URI to that table to that action? 16:15:47 good idea, Nick 16:15:55 okay, will do 16:15:57 move to pending review 16:16:06 action-135? 16:16:06 ACTION-135 -- Shane Wiley to detail use case for ISSUE-111 (DNT;2) -- due 2012-02-29 -- OPEN 16:16:06 http://www.w3.org/2011/tracking-protection/track/actions/135 16:16:19 Thank you 16:16:23 Shane - time estimate? :-) 16:16:33 keep open due to active discussion 16:16:43 do you want to assign a date? 16:16:50 action-136? 16:16:50 ACTION-136 -- Matthias Schunter to propose simplified set of fields for URI and response headers -- due 2012-02-29 -- OPEN 16:16:50 http://www.w3.org/2011/tracking-protection/track/actions/136 16:17:08 fine with me 16:17:08 schunter: next meeting 16:17:11 Aleecia, if everyone would simply agree with me, then the time estimate would be today. :-) Difficult to guage an estimate at this time. 16:17:21 That's what I had the :-) 16:17:37 LOL - missed that 16:17:49 WileyS, the action is just to provide a detailed use case, right? we don't all have to agree with you on it :) 16:18:02 I agree -- it's hard to estimate right now 16:18:05 tl: suggest closing and waiting for unified response discussion 16:18:09 action-137? 16:18:09 ACTION-137 -- Thomas Lowenthal to draft alternate proposal on first-party targeting based on registration information -- due 2012-03-10 -- PENDINGREVIEW 16:18:09 http://www.w3.org/2011/tracking-protection/track/actions/137 16:18:21 pending review 16:18:24 action-138? 16:18:24 ACTION-138 -- David Singer to investigate definitions of user action/input in HTML5 or similar specs -- due 2012-03-07 -- OPEN 16:18:24 http://www.w3.org/2011/tracking-protection/track/actions/138 16:18:39 He was on but dropped a few minutes ago 16:18:39 dsinger has joined #dnt 16:18:44 Now he's back on! 16:18:47 David's back 16:18:51 action-139? 16:18:51 ACTION-139 -- Thomas Lowenthal to improve wording of 3.9 "Meaningful Interaction" to avoid "affirmatively clicking" and make sure that "clicking" is replaced with something more general. -- due 2012-03-11 -- OPEN 16:18:51 http://www.w3.org/2011/tracking-protection/track/actions/139 16:19:03 dsigner sent a small piece of text on 138: http://www.w3.org/mid/2CA04067-5D89-4B30-81D9-47A64461FA38@apple.com 16:19:04 Action-138, status when you get a chance please David 16:19:10 tl: needs until next week 16:19:13 s/dsigner/dsinger/ 16:19:16 I think this is pending review for 138 16:19:29 action-138? 16:19:29 ACTION-138 -- David Singer to investigate definitions of user action/input in HTML5 or similar specs -- due 2012-03-07 -- OPEN 16:19:29 http://www.w3.org/2011/tracking-protection/track/actions/138 16:19:38 +[Apple] 16:19:41 -dsinger 16:19:41 action-140? 16:19:41 ACTION-140 -- David Singer to work on updates to TPE introduction (harmonize with Shane/John) -- due 2012-03-07 -- OPEN 16:19:41 http://www.w3.org/2011/tracking-protection/track/actions/140 16:19:43 action-141? 16:19:43 action-140 is close and shipped 16:19:43 ACTION-141 -- Rigo Wenning to draft text on clarity that this is for user agents (addressing his concern) -- due 2012-03-07 -- OPEN 16:19:44 http://www.w3.org/2011/tracking-protection/track/actions/141 16:19:58 zakim, [apple] has dsinger 16:19:58 +dsinger; got it 16:19:58 138 should be pending review, 140 is closed. 16:20:09 Action 111 has several detailed use cases - if we feel we've collected enough use cases at this time then perhaps we can move the item to "pending review" 16:20:09 Sorry, couldn't find user - 111 16:20:14 Lia has joined #dnt 16:20:42 dsinger: action-138 completed 16:20:54 yes 16:20:57 done, shipped. 16:21:08 dsigner: action-140 completed 16:21:13 "not completely harmonized, but certainly improved" 16:21:15 I'll provide edits later but feel the new draft is moving in the right direction (but still too long) 16:21:22 s/dsigner/dsinger/ 16:21:33 How quaint is it that we use the verb "shipped" to describe pointing arrows to specific revisions of a version-control system? 16:21:40 +1 to WileyS on a shorter intro 16:21:43 Shane - my guess is we'll be fiddling with that text until the final.final.final version 16:21:45 sorry dsigner 16:21:54 Aleecia - agreed. 16:22:09 My tendency is to write the abstract last, after the rest. Same idea here, I think. 16:22:39 BrianTs has joined #DNT 16:23:06 If it would make anyone feel more comfortable, we can do a new action of "revise intro" in deep sleep and take it up later. 16:23:18 +q 16:23:19 New business: issue-111 16:23:22 I'm not offering to open it right now... 16:23:23 issue-111? 16:23:23 ISSUE-111 -- Signaling state/existence of site-specific exceptions -- open 16:23:23 http://www.w3.org/2011/tracking-protection/track/issues/111 16:23:39 next agendum 16:23:47 close agendum 3 16:23:51 +q 16:23:57 (sigh) 16:24:10 agenda? 16:25:04 q? 16:25:09 mav has joined #dnt 16:25:09 ack WileyS 16:25:57 Zakim, mute me 16:25:57 schunter should now be muted 16:26:26 If we have web-wide exceptions, the same issues around exchanges crop up. 16:26:39 WileyS: worked with Adobe on proposal for two key perspectives before proposed text. 1) consumer - I trust the "site", 2) I trust this "third party" - web wide 16:26:42 Zakim, unmute me 16:26:42 schunter should no longer be muted 16:26:46 q? 16:26:53 I'm concerned the practical effect of this proposal will be shunting sites and consumers to blanket exceptions instead of site-specific exceptions. 16:27:19 Previous proposals would have simply allowed more flexibility. 16:27:24 q+ 16:27:29 q+ 16:27:31 q+ to ask for examples of third parties we expect users would "trust" across the web 16:27:42 ifette, I imagine Google... 16:27:52 q+ 16:27:59 q+ 16:28:21 Yes ifette, social widgets would likely be a common use case. 16:28:39 so this is "I trust the NY Times and their choice of 3rd parties, and do not want to go through all their 3rd parties explicitly"? 16:28:39 … Large publishers: would prefer only trust site (vs. third party) . Recommend use of wildcard that is passed from site to third parties under contract (DNT:0) 16:29:10 new semantics: DNT;0 = you have an exeption 16:29:16 DNT;1 = do not track me 16:29:29 … removes needs for server-side calls, polling, etc… 16:29:30 I am also concerned that this proposal would weaken a user choice on DNT, providing uninformed blanket exceptions. 16:29:52 …. there is some need for server-to-server communication; adchoices meta data is a possible recommendation 16:30:05 the problem is that nyt does not know which third parties are part of such an ad chain like kevin mentioned in his emails 16:30:06 can someone point me to this proposal on the mailing list? I thought I was up to date on these threads, but I haven't seen this. 16:30:18 http://lists.w3.org/Archives/Public/public-tracking/2012Mar/0276.html 16:30:24 (I think) 16:30:31 can't the browser notice "you are visiting NY Times" and therefore send DNT:0 to all 3rd parties pulled in by that site? 16:30:34 schunter, Not "exception", DNT:0 is "You have consent to track me right now." 16:30:39 …. adchoices meta data— gives more data on what is inside the ad chain 16:30:57 We run into problems in Europe with * 16:31:20 q? 16:31:20 q? 16:31:21 We need to understand the full impact of using AdChoices metadata, and its impact on user choice (based on how its operationalized) 16:31:30 What if YieldManager has an exception but the ad network it syndicates to does not 16:32:09 q? 16:32:12 European law demands knowledge or at least possible knowledge of third parties - a blanket exception is no option 16:32:17 ack tl 16:32:21 Zakim, mute me 16:32:22 schunter should now be muted 16:32:33 zakim, unmute me 16:32:34 aleecia should no longer be muted 16:33:19 Zakim, unmute me 16:33:19 schunter should no longer be muted 16:34:31 Disagree Ninja - as processors do not need to be disclosed per the Data Protection Directive (and the draft regulation doesn't change this stance) 16:35:19 WileyS, the third parties are not processors here but rather controllers in my opinion 16:35:31 WileyS, I thought we were talking about additional "third parties", i.e. controllers 16:35:37 Ninja - exactly, your opinion, which is not EU law :-) 16:36:01 Shane you're suggesting you know EU privacy better than Ninja? :-) 16:36:08 q- 16:36:19 q- 16:37:09 I'm not talking about all third parties, but all cases when they collect and process data on their own behalf 16:37:09 Aleecia - no comment :-) 16:37:46 Wow 16:38:01 you're always welcome to prove me wrong Shane :-) 16:38:19 tlr has joined #dnt 16:38:26 Ninja, I could agree with you, but then we'd both be wrong. :-) 16:39:06 tl: the site-specific exception API is orthogonal to server-to-server communication, which would always be allowed if receiving DNT:0 16:39:17 Zakim, mute me 16:39:18 schunter should now be muted 16:39:21 So if YieldManager gets DNT:0 and redirects to AdExcahngeXYZ.... 16:39:25 q- 16:39:43 Zakim, unmute me 16:39:43 schunter should no longer be muted 16:40:41 q? 16:40:47 ack ifette 16:40:47 ifette, you wanted to ask for examples of third parties we expect users would "trust" across the web 16:40:55 (personally I don't think user agents ever need to send DNT:0 to the 1st-party site) 16:40:56 Dynamic delivery environments break the 1st party / 3rd party list concept 16:41:29 ifette: user would have to add an exception for a third party 16:42:18 Nick, how is that possible? Isn't the first party the one requesting an exception for their site. If they never are told they've been granted an exception they'll have to ask the user for one every page of the site (or at least the first page of the session) 16:42:31 … potential conflict from browser setting vs. backchannel passage through ad chain? 16:42:35 - +1.206.658.aaii 16:42:41 q? 16:42:53 + +1.202.494.aatt 16:43:00 q? 16:44:00 WileyS, first-party sites remember a lot about my preferences right now without asking me over and over again, with cookies, for example 16:44:07 -jchester2 16:44:43 q+ 16:44:49 q? 16:44:52 Nick - but they still need to capture it once. AND users need to go back to each first party to manage those preferences. By capturing exceptions in the browser, the user has a single place to manage their preferences. 16:45:02 I agree 16:45:37 Browser could send ad.com DNT:1 and 3rd party on site could send ad.com DNT:0 16:45:42 … will craft email to address issue with multiple redirects to get better clarity 16:45:54 q? 16:46:06 indeed if Ian can't figure it out, the doc is deeply broken in terms of communication 16:46:10 Agreed, WileyS! The JS api returns a value to the first-party so they can capture it. And I agree, site-specific exceptions are best managed by the user agent for that reason. 16:46:32 q? 16:46:35 I share the confusion. Reading and thinking needed 16:46:41 ack ninjamarnau 16:46:44 Nick, I'd rather not carry the weight of JS APIs if I can get the simple signal in the header. 16:46:44 ack JC 16:46:46 ACTION: ifette to review the proposed text for ISSUE-111 in the context of a redirect chain where some parties get 0, some parties get 1, and there is potentially some data sharing between the parties in the redirect chain 16:46:46 Created ACTION-146 - Review the proposed text for ISSUE-111 in the context of a redirect chain where some parties get 0, some parties get 1, and there is potentially some data sharing between the parties in the redirect chain [on Ian Fette - due 2012-03-21]. 16:46:50 That was how you and I designed the JS API to begin with, right? 16:47:14 that's similar to what i was asking 16:47:14 scribenick: npdoty 16:47:21 q+ 16:47:33 thanks npdoty 16:47:51 q? 16:47:56 jc: there's an ad network on the page, sends a request to another page to serve the ad -- doesn't it just send on the signal it received? 16:48:04 Nick, I agree and for "known" 3rd parties it makes perfect sense. But as the discussion moved to dynamic serving environments (like exchanges), it breaks our original approach so we've been looking for simpler implementations. 16:48:17 +1 16:48:20 -1 16:48:22 +q 16:48:24 d'oh 16:48:35 I believe so far, I have not seen any argument for changing the API? 16:49:10 q? 16:49:15 tl: dnt:1 doesn't mean that the user isn't allowed to know things about the user, just about this particular http interaction 16:49:43 q? 16:49:44 ... doesn't stop you from going down to the pub tomorrow and telling other wacky stories about me 16:49:46 tl: DNT is specific to a specific network interaction, the specific request. Just about the conversation now 16:49:53 JC: sounds good, I hope that's clear in the spec 16:50:23 dsinger: if DNT to some third parties and not all, the first party doesn't know who those are. First party can pass info to the wrong parties. 16:50:30 q? 16:50:33 ack dsingert 16:50:37 … 3rd parties can ignore it, better if no passing at all 16:50:38 ack dsinger 16:50:40 +q 16:50:41 q+ to state the first party may wish to know the state of what's happening with the third parties, e.g. is it worth displaying this giant facebook plugin 16:50:54 … two fall backs, including API 16:51:11 mute me 16:51:12 tl: as long as this specific network interaction, yes. 16:51:18 dsinger: the third parties who receive DNT:1 should still ignore the data they receive back-channel from the first party, and it would be better if they didn't receive it at all, but we're still good 16:51:30 q? 16:51:36 ack jmayer 16:51:37 ack jmayer 16:51:49 npdoty-not-scribe: this is one reason I think the first party should always receive DNT:1 16:52:10 jmayer: three points. first, motivation is exceptions are "broken" by ad exchange model. disagree, see dlist. 16:52:15 jmayer: concern that exceptions are "broken" for the ad exchange model, but they aren't for the reasons I described on the list 16:52:26 … but 3rd parties still have web-wide exceptions under Shane's proposal. 16:52:48 … unless CNN prompts you to change status, you have exception for Yahoo! and no others, if you had previously trusted Yahoo! 16:52:53 ... when I go to CNN and I have a web-wide exception for Yahoo and no other advertiser, still have the question of propagating different DNT status 16:53:04 … need browser API or other method anyway; problem does not go away (if there is a problem) 16:53:24 … 2nd: new communications on backend between 1st and 3rd parties 16:53:37 Not true - many server-to-server APIs in place across the Internet today 16:53:38 … bad outcome if DNT incentivizes new channels to share more about users 16:53:39 Zakim, mute me 16:53:39 schunter should now be muted 16:53:49 ... I am concerned about opening more back-end communication channels between 1st and 3rd parties, good because it gives us more insight into what's going on 16:54:12 I believe that if a site knows its third parties {tp1, ...., tpN}, it can ask what subset has exceptions. 16:54:13 ... would be unfortunate if DNT incentivized more back-end communication channels 16:54:19 … 3rd, fingerprinting. Different technical suggestions here, but don't think blanket first party - fingerprintable information there (missing part) 16:54:43 … need to deal with fingerprinting both for what we allow, and what advice we give to implementers 16:54:43 Zakim, unmute me 16:54:43 schunter should no longer be muted 16:54:44 q? 16:54:52 ack WileyS 16:55:06 WileyS: confusion, but dynamic environment is the core issue. 16:55:06 If a site does not know its third parties, then it cannot ask and some may not have exceptions. 16:55:10 WileyS: the key issue is the dynamic environment 16:55:30 … publisher's ability to gain an exception for themselves and 3rd parties they work with. 16:55:32 scribenick: aleecia 16:55:50 … dynamic adsorbing, no way for 1st party to know who ultimate 3rd party to be 16:56:10 … polling mechanism doesn't work. Until ad is served, the 3rd party isn't known (or on the list) 16:56:17 +q 16:56:18 … that's the problem we're trying to solve 16:56:20 Zakim, unmute me 16:56:20 schunter was not muted, schunter 16:56:23 q+ 16:56:27 q+ 16:56:27 Why does it matter if the page knows which *ad* is served? 16:56:32 how does that work with opt-out cookies currently? 16:56:37 They don't know now, and that's fine. 16:56:40 … if we're trusting a website and what happens there, removes the need for the JS API. 16:56:53 … all parties on that site get DNT:0 signal 16:57:05 What may matter is a publisher knowing which third parties are and aren't excepted. 16:57:13 In the current proposal, you need to ask for ¨*¨ thirdparties if you want to use dynamic serving (=do not know the actual third parties). 16:57:13 +q 16:57:16 ifette: similar question, as a first party want to know status of third paries. 16:57:33 ifette, agree that first parties should be able to learn third party exception status 16:57:38 many ways to do this, see the list 16:57:42 … is it worth having a FB plug in, or should I not display it? If DNT to some ad networks, choose the one with DNT:0 16:57:53 +q 16:58:03 … what info does 1st party get about their 3rd parties on their site 16:58:08 ack ifette 16:58:08 ifette, you wanted to state the first party may wish to know the state of what's happening with the third parties, e.g. is it worth displaying this giant facebook plugin 16:58:09 ack tl 16:59:01 tl: covered by tools available. for Shane's point: not knowing the final leaf of the ad serving decision tree, only way to request DNT:0 to all those parties is a this_site, * exception. That's transparent. Some sites know all of their third parites. 16:59:01 . 16:59:19 that could be good for competition if publishers could choose ad networks that have better privacy (assuming that the increased DNT:0s are a fair indicator of that) 16:59:32 whenever anyone says "if users understand that" i get big red flags going up in my mind :) 16:59:32 I agree. 16:59:35 … for other sites, need to make a * request to understand. Users can understand "Yahoo! would like to allow any tracker" and make a choice 16:59:49 - +1.917.934.aaff 16:59:57 … users have the right sort of choice. If a lot of sites ask site, * then that's ok. 17:00:02 q? 17:00:07 - +1.415.520.aabb 17:00:22 … sites may make multiple API calls: *, or social widgets in a different call, all of these uses are legit 17:00:39 … to Ian's point: they can discover the status via API, and user may be prompted 17:00:48 I have to hop but most sites do not know all their third parties 17:01:00 Ian: don't think that's accurate. Realistically, a priori want to know to serve appropriate content 17:01:16 Agree with Ian - there is no way to know BEFORE serving content with the current draft implementation 17:01:18 Ian: don't want to figure out client side what your page should look like 17:01:51 Jonathan, I said *before* the page loads :) 17:01:57 I think that site-specific exceptions would be an opportunity for publisher to know which 3rd parties are distrusted 17:02:12 q? 17:02:17 jmayer: very specific - how do we make sure 1st party knows status for 3rd parties. could do: 1. browser API only exposed to 1st party. 2. first and third party work it out asynch 17:02:23 zakim, who's making noise? 17:02:24 zakim, who is making noise? 17:02:28 Zakim, who is making noise 17:02:28 I don't understand 'who is making noise', schunter 17:02:34 ifette, listening for 10 seconds I heard sound from the following: johnsimpson (47%), +1.202.494.aatt (45%), jmayer (26%) 17:02:41 Zakim, mute johnsimpson 17:02:41 johnsimpson should now be muted 17:02:45 dsinger, listening for 10 seconds I heard sound from the following: johnsimpson (17%), +1.202.494.aatt (16%) 17:02:50 jamyer: not hard web engineering. first party learning about third a prior is technically possible, we can make it easier. 17:02:56 q? 17:03:16 Q? 17:03:18 thanks, Ian, for joining us 17:03:39 q- 17:03:44 If user consents to "*", are we agreed that DNT:0 should be sent to all 3rd parties on that publisher's site? 17:03:48 If yes, then I'm fine. 17:03:48 I'm not sure I can add as much 17:03:50 zakim, mute me 17:03:50 johnsimpson was already muted, johnsimpson 17:03:55 schunter: thinks there's no fundamental difference suggested. Want different proposals. 17:04:09 q? 17:04:11 if user consents to publisher,*, yes, the user agent will send DNT:0 to all 3rd parties, including after redirects, yes. 17:04:11 … anyone want an action to draft a different proposal? 17:04:12 -q 17:04:15 -[Microsoft] 17:04:19 q? 17:04:31 ack schunter 17:04:32 Nick, Thank you - then I believe there is no issue here 17:04:32 q? 17:04:35 ack schunter 17:04:39 schunter: API doesn't need to be changed from what I've learned 17:04:43 - +1.646.666.aaqq 17:04:45 Behold, the queue is empty! 17:04:45 +[Microsoft] 17:04:57 … API looks sound, no need for changes 17:04:59 -??P74 17:05:12 WileyS: Yes, if the user accepts {thissite,*} that's exactly what's going on. 17:05:37 Nick: if publisher asks for *, then sends DNT:0 to all parties after redirects 17:05:45 User may choose to only say ´yes´ for a specified list of third parties. 17:05:55 Shane: if user can convey that to all parties, then we're fine. 17:06:03 tl: that's exactly what * means 17:06:12 Ian: not subsequent requests 17:06:15 Correct - first request fails 17:06:26 how can a user trust a first party, when we assume that this first party does not know all of its third parties in a complex chain of multiple redirects 17:06:28 Don't think that's an issue. 17:06:32 (cross-talk) 17:06:58 ninjamarnau, I agree, I'm not sure "trust" is necessarily the right concept here, but if this is clear to the user, then I think it's acceptable 17:07:03 mav has joined #dnt 17:07:04 schunter: Google sends a page asking for G and all 3rd parties in response to DNT:1 17:07:14 tl: also DNT:0. 17:07:25 Ninja, they trust the 1st party to only work with the appropriate 3rd parties 17:07:43 wasn't the issue on the granularity of site specific exception? 17:07:45 WileyS, even though the 1st party doesn't know the 3rd parties that it works with? 17:07:47 … if you are a publisher, you send everyone DNT:0 except one social network, and you are a publisher and ask for *, I'm going to say no. 17:07:58 1st party takes on the onus of ensuring only appropriate 3rd parties appears on their site and can manage this proactively via their ad networks and exchanges 17:08:24 schunter: it's sort of black listing, if I don't like a widget everywhere, I need to say no to all * requests 17:08:36 … if site doesn't tell me all third parties, I have to say no 17:08:44 +q 17:08:48 Ian: site has no idea which parts of content are getting 1 or 0 17:09:06 tl: can ask self, 3rd party -- on JS request at a time 17:09:06 q? 17:09:39 Ian: I have to know every ad network I might redirect to, right? 17:09:56 this seems problematic to me 17:10:03 q? 17:10:19 tl: yes, but might be sensible to go for common options first. Exposes one thing missing: ability to request * except for {foo, bar} 17:10:41 ifette: but I don't know who I should be accepting 17:10:50 s/accepting/excepting/ 17:10:52 jmayer is in the queue 17:10:54 s/accepting/excepting 17:11:01 (thank you both) 17:11:09 q? 17:11:29 WileyS, I agree. But I am concerned that this is not the case. Though this is not an issue DNT can solve. 17:11:54 ACTION: ifette to enumerate scenarios in which requesting exception[mysite,*] might not work, e.g. user says no, then how do you figure out what you can or cannot get exceptions for, such as if user is only saying no to facebook but you don't know which, if any, of their ad networks the user is objecting to 17:11:54 Created ACTION-147 - Enumerate scenarios in which requesting exception[mysite,*] might not work, e.g. user says no, then how do you figure out what you can or cannot get exceptions for, such as if user is only saying no to facebook but you don't know which, if any, of their ad networks the user is objecting to [on Ian Fette - due 2012-03-21]. 17:12:23 Ninja, the existance of DNT and AdChoices are bringing increased awareness and focus across publishers to "care" about this situation and take more proactive steps to manage the quality of the 3rd parties on their site. 17:12:48 Okay - I can help explain the corner cases 17:12:49 hopefully :-) 17:12:55 The fact that a user agent says ´no´ to ¨thissite, *¨ if a user does not like a third party is complicated. 17:12:57 +q 17:12:58 q? 17:13:15 jeff: how does this affect real-time ad exchange model 17:13:17 q? 17:13:24 WileyS, if the first parties are taking that onus to audit, then wouldn't they know the list of 3rd-parties to request for? 17:13:28 ack jmayer 17:13:30 (so basically Ian's point…) 17:13:46 q? 17:13:48 jmayer: concerns from "corner cases" assume a polling-based rather than list-based API. 17:14:11 … not sure fingerprinting concerns are a problem 17:14:19 you should not be able to ask questions about other than yourself and in your own status 17:14:20 I don't think that works, but can we take that discussion offline. 17:14:48 - +1.202.494.aatt 17:14:49 … could have APIs in browser that a 3rd party could abuse for tracking, since we have countless examples already. 17:15:03 'what are my exceptions?' is the question (where 'my' is the script origin, as defined by cross-site scripting) 17:15:26 Agree - I've been asking for that on the chain :-) 17:15:32 ACTION schunter to restructure and clarify ISSUE-111 17:15:32 Created ACTION-148 - Restructure and clarify ISSUE-111 [on Matthias Schunter - due 2012-03-21]. 17:15:36 … given there are technical ways to limit scope of API to browser, we should open the discussion on fingerprinting again, since marginal privacy risk may be slight and there may be gains 17:15:41 + +1.202.494.aauu 17:15:49 I'm not sure I agree with Jonathan's interpretation of the implementation risk, but I'm perfectly happy to open that for more discussion 17:15:54 tl: are you taking an action, Jonathan? 17:16:04 Please add me to the action item for the deeper exploration on this topic. 17:16:18 jmayer: already have a proposal. 17:16:35 - +1.202.494.aauu 17:16:36 ISSUE revive Javascript API for obtaining exceptions as a list (only for 1st parties; 3rd parties cannot call it) 17:16:44 dsinger: we can take script origin so you can only find out about yourself 17:16:52 ian: first party wasn't origin based? 17:17:22 Zakim, mute me 17:17:22 schunter should now be muted 17:17:24 I suggest one of us take an action to start a thread between jmayer and the browser vendors (at least Mozilla + Microsoft who had the fingerprinting concern) to investigate that risk 17:17:28 tl: jquery from CDN, half my stuff wrapped up in jquery, how is browser knowing which things are who? 17:17:57 jmayer: Ian, thinks first parties might span multiple domains, but using domains for technical implementations 17:18:05 Zakim, unmute me 17:18:06 schunter should no longer be muted 17:18:31 KevinT1 has joined #dnt 17:18:43 … Tom's question, how do we know who can call the API, not as concerned since browser already has top level origin for reasons on the dlist (Sid) - if your origin is the same as the top level, API does useful things. 17:18:55 tl: can you write that to compare? 17:18:58 ACTION jmayer to write alternate API 17:18:58 Created ACTION-149 - Write alternate API [on Jonathan Mayer - due 2012-03-21]. 17:19:02 jmayer: sure, sending email now 17:19:20 schunter: other actions here? 17:19:42 … if not, would like to have a look at status on the header + well known URI 17:19:50 - +1.202.496.aann 17:20:01 tl: status is, writing now, will send out by tuesday. 17:20:23 … must have tracking status resource. response header only when something changes within cache duration 17:20:40 … may send response header the rest of the time 17:20:46 thanks for the summary, though 17:20:55 q? 17:20:55 schunter: full discussion next call 17:21:10 … discussion about opt-in globally and EU law? 17:21:24 Sounds good 17:21:32 ninja: disagreeing with Shane and will take off-line, have discussion, then get back to the group 17:21:40 +1, thanks to Ninja and Shane for doing so 17:21:44 action here? 17:21:44 Sorry, bad ACTION syntax 17:21:46 LOL - she said she's "NOT" disagreeing with Shane 17:21:56 ACTION ninjamarnau to analyse EU legal implications of exceptions to (thissite, *) 17:21:56 Sorry, couldn't find user - ninjamarnau 17:21:58 habit! :-) 17:22:12 s/disagreeing with/not disagreeing with 17:22:13 s/disagreeing with/not disagreeing over law but maybe over mechanism/ 17:22:24 thanks nick 17:22:57 yes, I do think we are NOT disagreeing. I am optimistic :-) 17:22:57 - +1.202.587.aass 17:22:58 schunter: didn't rip API apart, can improve it, but not wholesale shift. Use cases help 17:23:04 so sorry 17:23:04 -johnsimpson 17:23:07 -dsriedel 17:23:25 scribe_fail 17:23:27 - +1.202.326.aarr 17:23:28 -efelten 17:23:28 -[Mozilla.a] 17:23:30 - +1.202.744.aapp 17:23:31 -ninjamarnau 17:23:32 Thanks for scribing, aleecia! 17:23:32 - +1.206.369.aamm 17:23:32 -rvaneijk 17:23:32 - +1.510.501.aagg 17:23:33 -[Apple] 17:23:36 -jmayer 17:23:37 - +1.646.654.aacc 17:23:37 sidstamm has left #dnt 17:23:38 bye 17:23:39 - +1.617.733.aaoo 17:23:41 -[Mozilla] 17:23:42 tedleung has left #dnt 17:23:43 - +1.202.326.aahh 17:23:46 -[Microsoft] 17:23:46 Zakim, list attendees 17:23:47 -WileyS 17:23:51 It's great when we finish early. 17:23:51 -fielding 17:23:54 As of this point the attendees have been tl, schunter, aleecia, +2191374aaaa, dsriedel, rvaneijk, +1.415.520.aabb, dsinger, +1.646.654.aacc, +1.202.684.aadd, jmayer, [Mozilla], 17:23:54 RRSAgent, set logs world-visible 17:23:56 ... sidstamm, +1.650.253.aaee, ifette, +1.917.934.aaff, +1.510.501.aagg, +1.202.326.aahh, WileyS, +1.206.658.aaii, +49.431.98.aajj, +1.202.326.aakk, efelten, ninjamarnau, fielding, 17:23:58 Zakim, who is making noise? 17:23:59 ... +1.813.907.aall, +1.206.369.aamm, +1.202.496.aann, +1.617.733.aaoo, alex, npdoty, [Microsoft], +1.202.744.aapp, +1.646.666.aaqq, +1.202.326.aarr, +1.202.587.aass, johnsimpson, 17:24:03 ... jchester2, +1.202.494.aatt, +1.202.494.aauu 17:24:05 -ifette 17:24:05 RRSAgent, make minutes 17:24:05 I have made the request to generate http://www.w3.org/2012/03/14-dnt-minutes.html aleecia 17:24:06 -alex 17:24:08 - +1.813.907.aall 17:24:10 -??P77 17:24:13 npdoty, listening for 10 seconds I could not identify any sounds 17:24:15 -aleecia 17:24:19 -npdoty 17:24:20 johnsimpson has left #dnt 17:24:23 ACTION ninjamarnau to analyse EU legal implications of exceptions to (thissite, *) 17:24:23 Sorry, couldn't find user - ninjamarnau 17:24:23 -schunter 17:24:25 T&S_Track(dnt)12:00PM has ended 17:24:25 Attendees were tl, schunter, aleecia, +2191374aaaa, dsriedel, rvaneijk, +1.415.520.aabb, dsinger, +1.646.654.aacc, +1.202.684.aadd, jmayer, [Mozilla], sidstamm, +1.650.253.aaee, 17:24:25 ... ifette, +1.917.934.aaff, +1.510.501.aagg, +1.202.326.aahh, WileyS, +1.206.658.aaii, +49.431.98.aajj, +1.202.326.aakk, efelten, ninjamarnau, fielding, +1.813.907.aall, 17:24:28 ... +1.206.369.aamm, +1.202.496.aann, +1.617.733.aaoo, alex, npdoty, [Microsoft], +1.202.744.aapp, +1.646.666.aaqq, +1.202.326.aarr, +1.202.587.aass, johnsimpson, jchester2, 17:24:31 ... +1.202.494.aatt, +1.202.494.aauu 17:24:36 ACTION nmarnau to analyse EU legal implications of exceptions to (thissite, *) 17:24:36 Created ACTION-150 - Analyse EU legal implications of exceptions to (thissite, *) [on Ninja Marnau - due 2012-03-21]. 17:42:54 tlr has joined #dnt 18:24:48 mischat has joined #dnt 18:50:05 KevinT has joined #dnt 19:32:13 ifette has joined #dnt 20:16:30 tlr has joined #dnt 20:48:03 KevinT1 has joined #dnt 21:50:08 KevinT has joined #dnt 23:50:08 mischat has joined #dnt