15:48:38 RRSAgent has joined #dnt 15:48:38 logging to http://www.w3.org/2012/03/21-dnt-irc 15:48:40 Zakim, clear agenda 15:48:40 agenda cleared 15:48:49 Agenda? 15:49:02 Thank you 15:49:22 Coming in via iPad, not so great 15:49:28 Agenda+ scribe 15:49:57 Agenda+ (no comments on minutes) 15:50:22 Agenda+ overdue action item review 15:51:17 Agenda+ action-56 housekeeping 15:51:44 tl has joined #dnt 15:51:44 Agenda+ issue-28 15:51:57 fielding has joined #dnt 15:52:27 Agenda+ Issue-14 15:52:33 Agenda+ 32 15:52:55 Agenda+ issue-69 15:53:12 Agenda+ issue-54 15:53:27 Agenda+ issue-65 15:53:38 Agenda+ big issues 15:53:58 Agenda+ announce next meeting & adjourn 15:54:22 rigo has joined #dnt 15:54:38 efelten has joined #dnt 15:55:00 T&S_Track(dnt)12:00PM has now started 15:55:07 +efelten 15:55:18 +tl 15:55:59 efelten has aleecia 15:56:06 zakim, efelten has aleecia 15:56:06 +aleecia; got it 15:56:16 Well, that's exciting. 15:56:32 Thanks! Typing is not going well on this 15:56:33 npdoty has joined #dnt 15:56:47 Are we on hold now? 15:56:48 zakim, code? 15:56:48 the conference code is 87225 (tel:+1.617.761.6200 sip:zakim@voip.w3.org), rigo 15:57:26 +Rigo 15:57:37 +npdoty 15:57:43 johnsimpson has joined #dnt 15:57:50 Nick, could you make sure to grab the urls from the agenda as we hit them? 15:58:06 Zakim, agenda? 15:58:06 I see 12 items remaining on the agenda: 15:58:08 1. scribe [from aleecia] 15:58:11 2. (no comments on minutes) [from aleecia] 15:58:12 3. overdue action item review [from aleecia] 15:58:15 4. action-56 housekeeping [from aleecia] 15:58:16 5. issue-28 [from aleecia] 15:58:18 6. Issue-14 [from aleecia] 15:58:20 7. 32 [from aleecia] 15:58:22 8. issue-69 [from aleecia] 15:58:24 9. issue-54 [from aleecia] 15:58:26 10. issue-65 [from aleecia] 15:58:28 11. big issues [from aleecia] 15:58:30 12. announce next meeting & adjourn [from aleecia] 15:58:34 vincent_ has joined #dnt 15:59:06 + +1.202.629.aaaa 15:59:22 +??P19 15:59:27 zakim, aaaa is John_Simpson 15:59:27 +John_Simpson; got it 15:59:40 zakim, ??P19 is Vincent 15:59:40 +Vincent; got it 15:59:47 Thanks, Rigo 15:59:50 zakim,202.629.aaaa is johnsimpson 15:59:50 sorry, johnsimpson, I do not recognize a party named '202.629.aaaa' 16:00:06 yes, Thanks Rigo 16:00:06 john, I already did that 16:00:17 thanks 16:00:20 + +1.919.388.aabb 16:00:27 An iPad, really? 16:00:35 Not an android tablet? 16:00:42 zakim, aabb is anna_long 16:00:42 +anna_long; got it 16:00:50 Anna has joined #dnt 16:00:59 + +1.646.654.aacc 16:01:10 Or something running B2G =p 16:01:14 eberkower has joined #dnt 16:01:21 zakim, who is on call? 16:01:21 I don't understand your question, johnsimpson. 16:01:22 +WileyS 16:01:27 + +1.516.695.aadd 16:01:29 tl, B2G ? 16:01:29 elise berkower has called in from 646 16:01:35 zakim, drop aacc 16:01:35 +1.646.654.aacc is being disconnected 16:01:36 - +1.646.654.aacc 16:01:37 i can scribe 16:01:41 WileyS has joined #DNT 16:01:48 Lia has joined #dnt 16:01:53 scribenick: vincent 16:02:01 scribenick: vincent_ 16:02:01 Agenda? 16:02:04 eberkower will be re-dialing in from 646-654 16:02:13 vincent_, Boot to Gecko, Mozilla's new mobile operating system built entirely using the web! 16:02:29 Zakim, take up agendum 3 16:02:32 Zakim, aacc is eberkower 16:02:36 eberkower: we asked 3 times who joined and got no response 16:02:36 ac has joined #dnt 16:02:38 +fielding 16:02:41 + +1.617.733.aaee 16:02:54 zakim, on call? 16:02:56 i typed it 16:02:59 agendum 3. "overdue action item review" taken up [from aleecia] 16:03:03 sorry, efelten, I do not recognize a party named 'aacc' 16:03:05 http://www.w3.org/2011/tracking-protection/track/actions/overdue 16:03:08 dsinger has joined #dnt 16:03:09 KevinT has joined #dnt 16:03:09 alex_ has joined #dnt 16:03:15 aleecia: action 56 is about reviewing current 16:03:24 ...: draft 16:03:38 Zakim, take up agendum 4 16:03:38 I don't understand your question, johnsimpson. 16:03:40 adrianba has joined #dnt 16:03:40 zakim, [apple] has dsinger 16:03:42 + +1.415.520.aaff 16:03:44 +[Microsoft] 16:03:56 +??P51 16:04:08 action-56? 16:04:09 ACTION-56 -- Kevin Trilli to propose text on enabling auditing compliance -- due 2012-02-01 -- PENDINGREVIEW 16:04:09 http://www.w3.org/2011/tracking-protection/track/actions/56 16:04:22 +[Apple] 16:04:22 aleecia: changing the due date for action 56 for two weeks from now 16:04:26 JC has joined #DNT 16:04:26 agendum 4. "action-56 housekeeping" taken up [from aleecia] 16:04:30 +dsinger; got it 16:04:34 Joanne has joined #DNT 16:04:37 enewland has joined #dnt 16:04:40 + +1.646.654.aagg 16:04:42 +justin_ 16:04:43 take up agendum 5 16:04:49 zakim, mute me 16:04:50 issue-28? 16:04:50 ISSUE-28 -- Exception for mandatory legal process -- pending review 16:04:50 http://www.w3.org/2011/tracking-protection/track/issues/28 16:04:52 +alex 16:04:59 John_Simpson should now be muted 16:05:16 aleecia: issue 28 associated to action 28, DNT means follow local laws 16:05:21 justin has joined #dnt 16:05:32 + +1.813.366.aahh 16:05:34 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#ExemptionIssues 16:05:38 ... : section 4.5.4 in the latest draft 16:05:42 + +1.415.520.aaii 16:05:47 +justin_.a 16:05:55 hefferjr has joined #dnt 16:05:59 -??P51 16:06:16 +q 16:06:25 ack tl 16:06:28 Ack tl 16:06:31 ifette has joined #dnt 16:06:38 +1.415.520. is Joanne 16:06:40 tl: unhappy with the descriptions 16:06:42 + +1.206.369.aajj 16:06:43 BrianTs has joined #DNT 16:06:47 Zakim, aaii is Joanne 16:06:47 +Joanne; got it 16:07:06 q+ 16:07:08 What? Make a decision to not follow the law? Disagree strongly. 16:07:12 tedleung has joined #dnt 16:07:18 + +2930aakk 16:07:26 Zakim, aakk is ifette 16:07:26 +ifette; got it 16:07:26 WileyS, I think that was the opposite of t 16:07:29 Ack Rigo 16:07:37 +[Microsoft.a] 16:07:39 ...: if you violate DNT you should notify the affected user 16:07:48 rrsagent, link? 16:07:48 I'm logging. Sorry, nothing found for 'link' 16:07:52 rrsagent, minutes? 16:07:52 I'm logging. Sorry, nothing found for 'minutes' 16:07:54 ... opposite of Tom's point, that people would make a decision to follow the law and not follow DNT and that's fine 16:07:58 rrsagent, pointer? 16:07:58 See http://www.w3.org/2012/03/21-dnt-irc#T16-07-58 16:08:01 ac has joined #dnt 16:08:06 +[Microsoft.aa] 16:08:12 +q 16:08:22 Nick, Tom said you "make a decision to either follow the law or follow the standard". I disagree and believe you MUST make a decision to follow both. 16:08:25 rigo: you are operating in a certain legal frameword (e.e europe data retentention) and there is nothing you can do about it 16:08:34 If you want to state you are DNT compliant 16:08:47 rrsagent, make logs member 16:08:48 ...: saying something create more confusion 16:08:51 Ack johnsimpson 16:08:53 +??P78 16:09:10 +q 16:09:23 johnsimpson: evident that the law overright DNT you should follow the law 16:09:48 ... : if you are required to turnover data because of the law you should notify the user 16:09:52 Ack WileyS 16:09:54 I said: If the law required to do something contrary to DNT, you need to choose which is more important to you. When you inevitably decide that you'll follow the law of the land instead of a technical standard, you are in violation of the technical standard. That's okay. 16:10:29 should notify is " data breach notification" which is a mess anyway 16:10:35 WileyS: more important now after tl point 16:10:50 q+ 16:11:05 + +1.202.326.aall 16:11:06 Ack dsinger 16:11:19 But I completely agree that whenever you share data in violation of DNT, whether through breach or legal compulsion, you SHOULD notify users. 16:11:34 [But law may prohibit you from doing do.] 16:11:46 dsinger: imagine the service operating in a repressive regim, if you have to obey by law you have to bey by law there is nothing you can do about it 16:11:51 q+ 16:12:00 aleecia: what about if the law ask you to do more than DNT? 16:12:07 Ack ifette 16:12:11 seems to me clear you need to follow the law... 16:12:20 ifette: no need for a statement "you should follow the law" 16:12:35 +1 16:12:39 [obviously] 16:13:04 +1 for keeping the language as is 16:13:12 +q 16:13:20 ditto dsinger 16:13:24 Ack tl 16:13:35 ditto dsinger 16:13:52 tl: the standard should not specify anything about local law and should not speak about the law topic at all 16:13:55 q+ to say companies may operate in multiple jurisdictions 16:13:59 the law is the law 16:14:01 q+ 16:14:07 ack ifette 16:14:07 ifette, you wanted to say companies may operate in multiple jurisdictions 16:14:16 Disagree with that perspective - it's not a "get out of jail free" - rather you can support the standard AND follow the law. 16:14:34 Law trumps standard - but that doesn't mean you're not compliant with the standard 16:14:37 "reasonable" 16:14:38 ifette: if you're in multiple country, one country expect to violate DNT and one expect you to complie, it might be nice to have something for that situation 16:14:51 Zakim, who's making noise? 16:15:02 npdoty, listening for 10 seconds I could not identify any sounds 16:15:13 the only thing that is necessary to say is that if the law requires you to violate the standard, you *should* notify the user if possible... 16:15:34 aleecia: it gets more complicated, in some cases the law applying is the one applying where the server is in some case it's where the user is 16:15:43 I disagree with any statement that says "following law = violation of standard" 16:15:44 Q. 16:15:47 ... : could we writ esomething that will cover this case 16:15:48 Q? 16:15:51 We're not solving international jurisdictional disputes in this document . . . 16:15:53 That's why this language is so important 16:15:55 q? 16:15:58 Ack fielding 16:15:58 ack fielding 16:16:08 +q 16:16:23 I did not get that 16:16:28 "Any laws from any jurisdiction that may apply to the request or transaction taking place are assumed to take precedence over requirements of this specification" 16:16:33 don't mean "violate" standard. should mean compel you not to follow it? 16:16:33 fielding: I prefer David's shorter version 16:16:47 thanks npdoty 16:16:52 fielding: I think the final sentence on contract fulfillment is unnecessary 16:17:26 dsinger: just wanted to clarify, in case someone said that they had a legal obligation in that they had a contract with another company 16:17:49 dsinger: avoid the case where two company create a contract that would allow to avoid DNT (using the contract as a justification) 16:18:07 the more we say, the more we create a mess IMHO 16:18:21 "Breaching a contract" isn't really a violation of law. 16:18:26 tl: it is local law because the contract may be subject to a local law 16:18:46 fielding: you would not be violating the law by breaking a contract 16:19:10 kj has joined #dnt 16:19:26 +1 for a Note 16:19:27 +1 but don't feel strongly 16:19:27 + somewhat 16:19:28 can live with 16:19:30 +1 16:19:33 is that implying that there is still some text around law? 16:19:35 +1 but don't feel that strongly 16:19:40 +1 moderately 16:19:48 strawpoll on wether we should mention contract ( the final sentence) 16:19:48 Lot of +.5s 16:19:49 +1 there should be some text, dont care about sentences about contracts 16:19:53 Rigo - without saying this, you could trap implementers that attempt to follow the standard (and state so in their privacy policy) AND follow the law. Without this language, following the law could be considered a "violation" of your privacy policy committment. Would make DNT a legally toxic concept to support as "violation" is almost assured. 16:19:54 If we have text around law, then it must disclaim contracts, but there should not be any language about law. 16:20:10 contracts cannot override laws or regulations or judicial process. 16:20:19 -1 16:20:21 -1 16:20:26 -1 16:20:34 fielding: No, but they can prohibit you from complying with DNT. 16:20:37 -1 16:20:58 tl, that would be a different issue 16:20:58 + +1.202.496.aamm 16:21:00 "overall we're getting a lot of meh" 16:21:00 aleecia: no strong sense of support for this, more people supporting than against 16:21:11 fielding: That is the issue at hand. 16:21:16 KevinT1 has joined #dnt 16:21:17 ...: anyone with a strong objection or can we live with it 16:21:30 Zakim, who is making noise? 16:21:41 npdoty, listening for 10 seconds I heard sound from the following: +1.202.496.aamm (23%), efelten (76%) 16:21:49 +1 16:21:55 Zakim, mute efelten 16:21:55 efelten should now be muted 16:21:58 sorry which issue 16:22:01 Zakim, mute aamm 16:22:01 +1.202.496.aamm should now be muted 16:22:02 But add separate breach notification. 16:22:13 q+ 16:22:16 Zakim, unmute aamm 16:22:16 +1.202.496.aamm should no longer be muted 16:22:17 Zakim, unmute efelten 16:22:18 efelten should no longer be muted 16:22:18 ack tl 16:22:19 aleecia: should we mention local law at all? (stawpoll) 16:22:21 John, the "follow the law" statement draft 16:22:51 aleecia: we should look at what should the text be 16:23:00 Indeed, a party may take action contrary to the requirements of this standard if compelled by applicable law. If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law. 16:23:01 This specification is not intended to override applicable laws and regulations. 16:23:02 Indeed, a party may take action contrary to the requirements of this standard if compelled by applicable law. If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law. 16:23:02 It should be noted that this allowance does not extend to the fulfillment of a contractual obligation. 16:23:10 This language is a deal-breaker, especially if it allows contracts to override DNT. 16:23:26 from http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#ExemptionIssues 16:23:39 I don't see how this can be construed to imply contracts 16:23:44 ack ri 16:23:47 +q 16:23:50 ...: of the two sentences anything in particualr somebody wants to cut 16:23:58 Q? 16:24:14 rigo: we should'nt introduce data breach notifications cause they are too complex 16:24:18 regardless, the last sentence does not do what tl wants. 16:24:29 sgtm 16:24:31 Ack tl 16:24:39 (the first two sentences of existing text sgtm) 16:24:44 tl: "may" should be "must not" 16:24:52 fielding: What do you understand my goal to be here? 16:25:01 aleecia: already discussed, check with a strawpoll 16:25:04 -1 16:25:06 +1 16:25:12 _1 16:25:32 aleecia: no support on that one, any other change on these two sentences? 16:25:33 try: "Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not." 16:25:34 Nick - question for you, can anyone join the weekly meetings (aka public)? Similar to the email list? 16:25:44 If compelled by applicable law to collect, retain, or transmit data despite receiving a DNT:1 signal for which there is no exemption, the party should notify affected users to the extent practical and allowed by law. 16:25:47 +[IPcaller] 16:25:56 q+ 16:26:12 Ack fielding 16:26:34 "the extent practical" is also somewhat unclear 16:26:42 did not get it 16:26:54 Nick, are you there? Question for you, can anyone join the weekly meetings (aka public)? Similar to the email list? 16:26:56 fielding: should always refer to 'laws and regulations' not just laws 16:27:13 laws, regulations, or judicial orders? 16:27:18 Q? 16:27:26 thanks npdoty 16:27:27 agreement to change to 'laws and regulations' in both sections of that paragraph 16:27:28 change if compelled by applicable law to if compelled by applicable law or regulations 16:27:35 roy, judicial orders are usually supported by some law, no? 16:27:44 aleecia: any other changes for this text? 16:27:50 probably in the case of dnt, but not normally 16:27:53 roy, rulings are derived from laws or regulations, so no need to further detail 16:27:56 Yes, I like dsinger's proposal, with notification addendum. 16:28:07 npdoty, question for you, can anyone join the weekly meetings (aka public)? Similar to the email list? 16:28:10 + 16:28:12 +1 16:28:14 WileyS, sorry, we're a little busy at the moment. 16:28:20 I'd like "must" notify, but could live with "should" 16:28:20 +1 to delete the paragraph (both sentences) 16:28:27 Nick, easy question - yes or no 16:28:28 ...: stawrpoll if you beleive there should be no "should notify" +1 on IRC 16:28:40 +1 16:28:40 WileyS, fine for people to join the calls in general, though if our phone bridge collapses I might not encourage all of them ;) 16:28:40 proposal cut: the party should notify affected users to the extent practical and allowed by law. 16:28:45 +1 16:28:49 -1 16:28:50 -1 16:28:52 if we want to change it? 16:28:55 npdoty, thank you. 16:28:57 ... : to keep that sentence -1 16:28:57 -1 16:29:02 -1 16:29:03 +0 -- don' want ot get rid of but change 16:29:18 chapell has joined #dnt 16:29:34 aleecia: looking like an even splite 16:29:40 I propose: Local laws and regulations take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law. 16:30:08 q+ 16:30:11 ifette: main concern "extent practical" not really defined, it's not the same that data breach notification 16:30:26 aleecia: agree that it is not data breach 16:30:34 At Mozilla, we consider subpoenas to be data breaches. That's part of our security models. 16:30:41 ... : in term of no practical, two solution 16:30:43 +1 to tl's proposal 16:30:45 exactly tl :) 16:30:47 They're the hardest breach to protect against. 16:30:52 "commercially reasonable as determined by the holder of the data" 16:30:53 :) 16:30:57 ... : 1) make the text non-normative 16:31:01 - +1.415.520.aaff 16:31:03 ack ri 16:31:07 Ack rigo 16:31:13 ...: 2) define what the "extent practical" is 16:31:19 +1 - commercially reasonable as determined by holder of data 16:31:43 i'm fine with dropping the notification 16:31:50 it's not that meaningful in most cases probably 16:31:51 chapell: You realize that that was the viewpoint being caricatured? 16:31:59 you're some third party ad network with just an IP, what are you supposed to do 16:32:10 rigo: concer about losing focus, we should talk about this in a different specification that is focused on governemental collection and notification 16:32:19 TL: yes 16:32:29 that's the same as dropping the sentence, right? 16:32:36 aleecia: proposal, we take the sentence "shoudl notify" and make it non-normative (strawpool) 16:32:42 no SHOULD 16:32:48 aleecia: if you' re opposed to changing the section to NON-normative 16:33:00 can't have a "should" in non-normagtive, caN YOU? 16:33:12 ... please indicate +1 16:33:23 Should is per se normative 16:33:24 -justin_.a 16:33:33 q+ 16:33:34 tl: can' t have non-normative instructions ... 16:33:37 tl: it is normative instruction, either you shoudl do it, or you should not do it 16:33:40 ack fielding 16:33:48 Ack fielding 16:34:04 RF: tracking indicates that you' re tracking for a reason, one of them is that for reason of law 16:34:07 fielding: the tracking status response may indicate that you are trackign for a reason (might be the applicable law) 16:34:13 ... standard doesn' t apply to subpoenas 16:34:18 +justin_.a 16:34:40 fielding: How about: Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law 16:35:14 s/fielding: How/fielding, How/ 16:35:15 aleecia: We have already some response in Pref Spec and could indicate there. 16:35:32 my first counter-proposal is fine to drop 16:35:33 aleecia: at that point we might just take that sentence out and cover that in the spec, but not yet since we did not decide what the response should be 16:35:37 +1 tl text 16:35:40 thanks rigo 16:36:01 Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. 16:36:08 Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not. 16:37:05 try: "Local laws and regulations take precedence over this standard, when applicable; however, contractual obligations do not." 16:37:24 -??P78 16:37:36 tl: text I'm proposing is a compromise, slight modifycation of dsinger text 16:37:47 +??P13 16:37:48 I'm fine with that 16:38:01 One person at a time please 16:38:10 How about: Local laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. If compelled to take action contrary to this standard parties SHOULD/MUST notify affected users to the extent practical and allowed by law 16:38:21 ...: that would be in replacement of the all thing, not jsut the second sentence 16:38:54 Remove the last sentence and I agree 16:38:56 replace all text with (a) Tom's sentence and (b) an open issue on notification. 16:39:18 That's better, but starting with "Adherence to applicable laws or regulations take precedence over ..." 16:39:43 What is "local" anyway? 16:39:46 aleecia: we drope the three sentences and replace it with one 16:40:07 aleecia: remove local from there and just take law 16:40:14 Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not. 16:40:18 does anyone object to this as a concept? 16:40:54 resolution: Change three sentences to "Adherence to laws, legal and judicial process, regulations and so forth take precedence over this standard when applicable, but contractual obligations do not." in 4.5.4 16:41:00 resolution: change 3 sentences to dsinger's final single sentence, with an open question on notification (pending TPE) 16:41:22 I note that HTML5 doesn't allow you to violate it when local laws prohibit it. 16:41:28 ifette: fine with dropping my suggestion and accepting this 16:41:29 Agenda? 16:41:33 aleecia: finished discussing issue 28, moving on 16:41:42 Zakim, take up agendum 6 16:41:44 ISSUE-14? 16:41:44 ISSUE-14 -- How does what we talk about with 1st/3rd party relate to European law about data controller vs data processor? -- pending review 16:41:44 http://www.w3.org/2011/tracking-protection/track/issues/14 16:41:44 \ 16:41:45 agendum 6. "Issue-14" taken up [from aleecia] 16:42:04 simpler version: Applicable laws or regulations take precedence over this standard, but contractual obligations do not. 16:42:20 For the EU, the outsourcing scenario is clearly regulated. In the current EU Directive 95/46/EC, but also in the suggested regulation reforming the data protection regime, an entity using or processing data is subject to data protection law. A First Party (EU: data controller) is an entity or multiple entities (EU: joint data controller) who determines the purposes, conditions and means of the data processing will be the data controller. A service provider (EU: data 16:42:21 processor) is an entity with a legal contractual relation to the Data Controller. The Service Provider does determine the purposes, conditions and means of the data processing, but processes data on behalf of the controller. The data processor acts on behalf of the data controller and is a separate legal entity. An entity acting as a first party and contracting services of another party is responsible for the overall processing. A third party is an entity with no 16:42:23 contractual relation to the Data Controller and no specific legitimacy or authorization in processing personal data. If the third party has own rights and privileges concerning the processing of the data collected by the first party, it isn't a data processor anymore and thus not covered by exemptions. This third party is then considered as a second data controller with all duties attached to that status. As the pretensions of users are based on law, they apply to 16:42:24 aleecia: we might be moving this to another portion of the document, are we closed on issue-14? 16:42:26 first and third party alike unless the third party acts as a mere data processor. 16:42:47 fileding +1 16:42:57 Please remove this text in its entirety 16:43:01 q+ 16:43:02 +q 16:43:04 aleecia: anyone who can not leave with this text? 16:43:05 +q 16:43:06 +1 to WileyS 16:43:22 Ack fielding 16:43:33 fielding: not usefull for us to redefine data controler and data process, just use those terms and copy current definitions 16:43:34 Ack WileyS 16:43:39 +1 Shane 16:43:49 +1 to WileyS as well. This doesn't belong here or add very much. 16:43:50 q+ to say that this is a useful explanation for EU customers 16:44:31 WileyS: suggest to divorce legal tenant completley from the standard docuement, discuss them broadly but not the specifics 16:44:32 dsinger: fielding suggested "Applicable laws or regulations take precedence over this standard, but contractual obligations do not." which is even tighter. 16:44:33 +1 to WileyS 16:44:40 Ack tl 16:44:44 ...: we should put that in a companion document 16:44:48 +1 to Shane 16:44:48 ack rigo 16:44:48 rigo, you wanted to say that this is a useful explanation for EU customers 16:44:50 Ack Rigo 16:44:50 +1 16:44:50 Lets push this to the standards doc 16:45:14 chapell, this is a standards document. do you want to move it to a separate document? 16:45:17 Put that in the companion document 16:45:28 q+ 16:45:30 @nick - yes, I meant companion doc 16:45:33 That's nice - but the A29WP isn't the purpose of this standard 16:45:47 rigo: -1, this is a added value, it is not specifying but it is a how to 16:45:48 Ack ifette 16:45:58 ... : how to handle dnt in EU 16:46:33 ifette: it could be informative but we're not witing an implementation of article 29 16:47:07 Separate document altogether please 16:47:15 +1 separate doc 16:47:16 +1: separate document. 16:47:18 +1 seperate doc 16:47:21 +1 with WileyS 16:47:24 aleecia: what I'm hearing is that we should move the text somewhere else, we could debate later where 16:47:25 We are agreed! 16:47:31 +1 to sep doc 16:47:59 Aleecia - it appears everyone (perhaps save Rigo) is asking for this to be moved to a separate document 16:48:13 Please look at all the +1s above 16:48:25 rigo: this endef-up here due to the discussion on 1st vs 3rd party and look to the EU scenario 16:48:42 rvaneijk has joined #dnt 16:48:57 rigo: I'd be satisfy if you go back to rvaneijk 16:49:06 Rigo - we don't disagree on the guidance - but rather we'd like to move to a separate document that discusses the entirty of the standard's tenants from individual local law perspectives 16:49:08 s/endef/ended 16:49:31 I think rvaneijk just joined actually 16:49:37 +rvaneijk 16:49:38 Agenda? 16:49:43 Aleecia - Rob just joined 16:49:43 Hi got stuck in traffic 16:49:55 would we be better to use the data controller, data processor model rather than 1st and 3rd party throughout entire document? 16:50:19 zakim, on call? 16:50:19 I don't understand your question, johnsimpson. 16:50:25 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#EUterms 16:51:16 rvaneijk: fine with moving the text in another docuement 16:51:20 Can we plan on "another document" rather than leaving "elsewhere' undefined? 16:51:22 - +1.516.695.aadd 16:51:27 everyone +1'd another doc 16:51:28 above 16:51:41 +q 16:51:41 resolution: we will move this text elsewhere 16:51:52 johnsimpson, unfortunately we can't avoid the third-party distinction entirely because the third-parties that we do care about are the ones that are controllers, not just processors. 16:51:53 resolution: rvaneijk ok with moving text of issue-14 elsewhere as the rest of first/third party still in flux 16:51:55 aleecia: ifette not sure what we gonna do yet 16:51:57 Hello Aleecia - in queue for the past issue 16:52:06 Zakim, take up agendum 7 16:52:06 agendum 7. "32" taken up [from aleecia] 16:52:07 tnx rigo 16:52:17 Ack WileyS 16:52:29 WileyS: many "+1" to move the text in another docuement 16:52:47 ..: did not see anyone against it 16:52:49 I'm not against separate document 16:52:50 To paraphrase Mr. Cameron: "I agree with Shane." 16:52:58 for the record. This could be a WG Note 16:53:07 issue-32? 16:53:07 ISSUE-32 -- Sharing of data between entities via cookie syncing / identity brokering -- pending review 16:53:07 http://www.w3.org/2011/tracking-protection/track/issues/32 16:53:08 aleecia: discussing with matthias on that issue 16:53:26 Rigo, can we move that to an issue? 16:53:35 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#cookieSync 16:53:39 aleecia: issue-32a couple of note on that issue 16:54:02 - +1.202.496.aamm 16:54:19 ... propose postponing this issue until we figure out the question of service providers 16:54:35 ... and close action 106 16:54:38 +1 16:54:40 aleecia: suggestion on the table we close action 106 and move issue 32 to postpone 16:54:52 No, other than a meta comment to say it's hard to figure out "what is the text under review" 16:54:54 with giant email chains 16:55:10 (would be great to get a link to the relevant email / text directly) 16:55:11 ifette: So true. 16:55:16 q+ 16:55:31 Or if we had some way to propose text. Like a pull request. Just saying. 16:55:43 my fault, I sent an update this morning 16:55:52 q- 16:56:01 ISSUE-55? 16:56:01 ISSUE-55 -- What is relationship between behavioral advertising and tracking, subset, different items? -- closed 16:56:01 http://www.w3.org/2011/tracking-protection/track/issues/55 16:56:08 ISSUE-65 ? 16:56:08 ISSUE-65 -- How does logged in and logged out state work -- pending review 16:56:08 http://www.w3.org/2011/tracking-protection/track/issues/65 16:56:31 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#loggedIn 16:56:32 If a user is logged into a first-party website and it receives a DNT:1 signal, the website must respect DNT:1 signal as a first party and should handle the user login as it normally would. If a user is logged into a third-party website, and the third party receives a DNT:1 signal, then it must respect the DNT:1 signal unless it falls under an exemption described in this document. 16:56:39 If a user is logged into a first-party website and it receives a DNT:1 signal, the website must respect DNT:1 signal as a first party and should handle the user login as it normally would. If a user is logged into a third-party website, and the third party receives a DNT:1 signal, then it must respect the DNT:1 signal unless it falls under an exemption described in this document. 16:56:39 Example use cases: 16:56:40 A user with DNT:1 logs into a search service called "Searchy". Searchy also operates advertisements on other websites. When the user is on a news website, Searchy receives DNT:1, and it must respect it, as Searchy is operating in a third-party context. 16:56:41 A user with DNT:1 enabled visits a shopping website and logs in. The shopping website continues to provide recommendations, order history, etc. The shopping site includes third-party advertisements. Those third-parties continue to respect DNT:1. When the user purchases the items in their basket, a third-party financial transaction service is used. The user interacts with the third-party service, at which point it becomes first-party and may use previously collect 16:56:46 -Joanne 16:56:46 data. 16:56:48 A user with DNT:1 visits a website (Website A) that uses a third-party authentication service called "LogMeIn". The user logs into the site with his LogMeIn credentials. The user has interacted with LogMeIn, and now it can act as a first-party. Now the user vists Website B, which also uses the LogMeIn service, but is branded differently than Website A. LogMeIn must respect the DNT:1 signal until the user chooses to interact with LogMeIn in order to log into Websi 16:57:02 aleecia: two different text proposals for this issue, one with some use cases and the other with no comment at all 16:57:11 With DNT enabled the site should not track the user when the user navigates to another site. However, the user should still be able to benefit from some level of personalization. 16:57:22 Straw poll time? 16:57:24 -fielding 16:57:26 + +1.949.573.aann 16:57:27 Q? 16:57:30 Is there an option that logging in == dnt0? 16:57:32 q+ 16:57:44 Zakim, aann is fielding 16:57:44 +fielding; got it 16:57:49 +q 16:58:04 dsinger: it's confuse to say a cookie to a third party and say "don't track me!" 16:58:07 That happens with DNT anyway 16:58:32 aleecia: not sure that it is scope to this problem 16:58:34 I thought the point of DNT is that you could send a preference even though the browser might send identifying cookies 16:58:34 Ack Rigo 16:58:36 ack ri 16:59:15 rigo: there are some caveats that I try to discuss with use cases 16:59:46 ... : user not knowing that he's logged-in and look for sensitive information and get tracked 17:00:00 Isn't that what we have private browsing modes for? 17:00:05 ...: he's not aware of it's logging cookie, DNT might be an opportunity to solve this issue 17:00:24 Ack tl 17:00:35 q+ to say we seem to be trying to solve use cases solved by incognito/private modes which i think is a bit different than what I anticipated DNT used for 17:00:50 tl: agree with rigo, the rule we have already cover the use cases 17:00:50 ack ifette 17:00:50 ifette, you wanted to say we seem to be trying to solve use cases solved by incognito/private modes which i think is a bit different than what I anticipated DNT used for 17:00:53 Ack ifette 17:01:01 strongly disagree with a 'logged in exception' also 17:01:11 +q 17:01:29 Ack jc 17:01:29 ack JC 17:01:30 ifette: it's seems to be something we tried to address with private browsing 17:01:44 JC: not looking for an excepetion for logging state, 17:02:03 - +1.202.326.aall 17:02:12 if you're in private mode and you log in, you have given a very strong signal. why would you log in to facebook in a 'private browsing' session? 17:02:12 ...: if you 're in private mode and you login the website know who you are 17:02:23 +q 17:02:36 ...: DNT does not mean do not personalize but it means do not keep track 17:02:47 q+ 17:02:55 "I want the bread but I don't want to bake it" 17:03:28 - +1.617.733.aaee 17:03:30 Ack WileyS 17:03:31 JC: I want to know what my friend like in an article (active feedback) 17:03:35 q+ 17:03:44 17:04:04 JC, Does option one allow what you want? 17:04:07 JC, this also applies filtering in streams, IMHO a more important use case 17:04:09 WileyS: I disagree, I believe logged-in imply consent 17:04:32 Yes 17:04:41 Shane is saying basically what I want to say 17:04:42 so i will drop off 17:04:43 q- 17:04:43 +1 17:04:44 ...: user are consenting to an experience, I don't beleive DNT has a place there 17:04:47 Ack ifette 17:04:48 +q 17:04:54 ...: if you don't want that experience then logout 17:05:02 Ack dsinger 17:05:20 DNT doesn't block cookies 17:05:23 Logged-in = Out of Band Consent 17:05:42 q+ 17:05:48 ditto shane … it should be an account preference that gives consent 17:05:58 I agree with shane 17:05:58 dsinger: if you send DNT:1 with a cookie, you can know who i am and tells me waht my friends like 17:06:07 Logged-in = Out of Band Consent (if constructed appropriately) = trumps DNT (web-wide exception) 17:06:22 Ack tl 17:06:38 Logged in = Out of Band consent IF this standard's consent requirement is met 17:06:51 TL +1 17:06:57 +1 to TL 17:06:58 dnt:0 and a logged-in-cookie trumps DNT, not DNT:1 17:06:58 Don't participate in SocialNet (or Log out of SocialNet) 17:07:01 +1 17:07:01 tl: it I logging in Socialnet and then go and browse the web, I don't want social net to know which site I view 17:07:07 This is how you vote on SocialNet's features 17:07:14 Can't eat your cake and have it too 17:07:20 Strongly disagree 17:07:25 q- 17:07:26 strongly agree with tl 17:07:30 ...: we should prohibit that behavior, just because I'm logged in does not mean that SocialNet should be tracking me 17:07:36 Ack efelten 17:07:38 Not the same 17:07:52 jc, are you in agreement with shane or not? we seem to go back and forth 17:07:54 if you WANT socialnet's behavior, then send dnt:0 to them 17:07:58 aleecia: 3 possiblities: 17:08:05 How about middle ground --- SocialNet can serve you content based on the url and your profile, but they cannot store info for profile 17:08:07 It's gray 17:08:26 ...: 1) being loged in is irrelevant because DNT is still operative 17:08:33 Unless they clearly opted in as part of enrollment process. 17:08:35 I don't agree with tracking with DNT:1 17:08:39 Justin has it right, I thnk 17:08:45 ...: 2) it's relevant because I oped int 17:08:52 I agree with personalization with logged in state 17:08:57 ...: 3) is the option proposed by JC 17:09:01 q+ 17:09:11 +q 17:09:19 Ack ifette 17:09:59 +1 17:10:00 +1 17:10:05 dnt:1, no logged-in cookies sent: plain DNT applies; dnt:1, logged-in cookies sent: recognize me, but don't add to your database about me; 17:10:06 + 17:10:11 +1 17:10:18 Ack JC 17:10:31 -[Microsoft.aa] 17:10:39 -??P13 17:10:43 This discussion conflates a lot of issues, but on this specific issue I would prefer to say nothing on loggedinness 17:10:45 adrianba has left #dnt 17:10:46 ifette: as I understand JC's proposal, when I log in to Facebook they could ask me at that time for a *,facebook.com exception so that they can track me around the Web, and that they otherwise can't 17:11:00 otherwise send dnt:0 to SocialNet and give them an exception 17:11:02 JC: I login to FB, they know I'm logging, if I have DNT one, everytim I'm reading an article, people know that I'm reading that article 17:11:08 +??P11 17:11:14 Agree with Justin (and like the new word "loggedinness" :-) ) 17:11:29 think about personalization in filtering information streams like stock selections you' re looking at 17:11:38 ...: if I send DNT:1 people won't know I'm reading that article but I can still see which of my friend liked that article 17:11:40 @JC - not sure I disagree, but it seems complicated and difficult to impliment 17:11:47 My middle ground I think would take care of JC's issue. 17:11:58 and if you actively interact, on the 3rd party site that could be logged 17:12:20 +q 17:12:24 aleecia: two action items: 17:12:43 that would be up to the site to offer 17:12:43 ...: 1) write this middle ground 17:12:44 They can if the service provider extends it 17:13:07 ...: 2)write WileyS's proposal 17:13:08 @JC - :-) 17:13:31 Yes 17:13:33 :-) 17:13:34 Sure, but I think my vision is reflected in the current spec. 17:13:36 Yes 17:13:37 action: cannon to write up personalization-without-tracking on loggedinness (with David and Shane) 17:13:38 Created ACTION-151 - Write up personalization-without-tracking on loggedinness (with David and Shane) [on JC Cannon - due 2012-03-28]. 17:13:40 rrsagent, bookmark? 17:13:40 See http://www.w3.org/2012/03/21-dnt-irc#T17-13-40 17:13:43 -[Microsoft] 17:13:49 Question - aleecia, i had two actions due today, can you mark them pending review? 17:13:53 146+147 17:13:57 action: shane to write up logged-in-means-out-of-band-consent 17:13:58 Created ACTION-152 - Write up logged-in-means-out-of-band-consent [on Shane Wiley - due 2012-03-28]. 17:14:02 aleecia: move forward on 65 when we have some text 17:14:36 1/ Do not track is not affected by login 17:14:37 1: dnt unaffected by DNT 17:14:39 2: middle ground 17:14:52 3: logged in seen as consenting to tracking, DNT is off after login 17:14:54 1 17:14:59 1 17:15:00 1.5 17:15:01 ifette votes 2 17:15:03 rather 3 17:15:04 Option 1 17:15:05 1 or 2 17:15:06 1 or 2 17:15:09 rigo votes 2 17:15:10 thanks ifette , rigo 17:15:11 typo :) 17:15:20 2 17:15:32 I think login and DNT are orthogonal, but personalization may be ok regardless of loggedinness 17:15:40 Zakim, take up agendum 11 17:15:40 agendum 11. "big issues" taken up [from aleecia] 17:16:02 I think the question 'how big is a first party' needs to be solved first 17:16:04 aleecia: moving forward on operational uses of data 17:16:18 Propose we do this at DC F2F 17:16:38 aleecia: hearing that what we can live with on parties will depend on operational uses of data and vice versa 17:16:43 ...: we will be talk about in DC but we should make progress before we get there 17:16:46 ... take these issues together 17:17:02 ...: think to common use cases would be usefull 17:17:06 my use case is filtering the information stream by a special disease 17:17:18 on a medical site 17:17:44 operational purposes 17:17:59 aleecia: use "operational uses" for "exemption/exceptions" 17:18:03 what's wrong with exemption? 17:18:11 exemptions not exceptions 17:18:27 ... anyone object to "operational purposes" 17:18:32 In text, I've been saying "User Granted Exceptions" and "Operational Purpose Exceptions" 17:18:36 I fixed that ;-) 17:18:39 ... exemptions and exceptions are confusing 17:19:09 I would call them exclusions 17:19:12 q+ 17:19:12 as long as operational puposes will not be defined 17:19:30 ack tl 17:19:31 rvaneijk: the goal is to define operational purposes 17:19:44 rvaneijk, so speak up or be lost 17:19:44 Ack tl 17:19:44 Ack npdoty 17:20:02 npdoty: will we be judging the exemptions wether or not they're used for operational 17:20:03 q+ 17:20:05 q+ 17:20:13 Nomenclature solution - but seems like they would be judged in that light "necesary operational purposes" 17:20:23 q? 17:20:30 ack johnsimpson 17:20:48 johnsimpson: there are some exemption that would be granted and that are not for operational purpose 17:20:54 +1 john 17:21:06 Perhaps we could call it an "operational exemption"? 17:21:14 ... exemption comes in the spec, exceptions are granted by the suer 17:21:25 we would still be using "exception" for user-granted site-specific exceptions, right? 17:21:47 ... ok to move on, just note that some exemtpions are not operation purposes 17:21:51 q? 17:21:55 ack rvaneijk 17:22:16 rvaneijk: operational uses has been used in the EU directive as well 17:22:16 "strictly necessary purpose" in EU language - not the same 17:22:22 RV: operational purpose would lead to confusion in EU 17:22:30 not the same but will lead to confusion 17:22:39 tl: "permitted uses" 17:22:39 permitted uses 17:22:41 permitted is better. 17:22:42 +1 17:22:45 tl: permitted uses (suggestions) 17:23:05 Wait, is this permitted by spec or permitted by user? 17:23:17 aleecia: anybody obtect to permitted uses? 17:23:29 aleecia: does anyone object to "permitted uses" as a placeholder for the moment? if anyone has a better idea, please share with the mailing list 17:23:58 A Björk 17:24:03 :) 17:24:11 So, "User Granted Exceptions" and "Permitted Uses" ? 17:24:48 The Yahoo! office is too small - sorry (could handle about 20 people - no more) 17:24:49 aleecia: not yet have a location in DC, three different organizations that would like to but can't 17:24:51 uses? retention, collection, sharing? 17:25:04 we have a dc office but it's not that large... 17:25:23 ... looking at up to 60 people, volunteer hosts are welcome 17:25:25 aleecia, operational question? 17:25:26 Thank you 17:25:28 -rvaneijk 17:25:31 -justin_.a 17:25:32 thx 17:25:32 -justin_ 17:25:32 - +1.206.369.aajj 17:25:35 - +1.813.366.aahh 17:25:36 Thank you 17:25:38 'same time next week' 17:25:42 -[Apple] 17:25:45 -anna_long 17:25:49 -WileyS 17:25:53 -alex 17:25:54 -fielding 17:26:11 ACTION-146? 17:26:11 ACTION-146 -- Ian Fette to review the proposed text for ISSUE-111 in the context of a redirect chain where some parties get 0, some parties get 1, and there is potentially some data sharing between the parties in the redirect chain -- due 2012-03-21 -- OPEN 17:26:11 http://www.w3.org/2011/tracking-protection/track/actions/146 17:26:24 ifette wants to move 146 and 147 to pending review 17:26:31 -Rigo 17:26:38 -[IPcaller] 17:26:39 -[Microsoft.a] 17:26:42 -ifette 17:26:44 -John_Simpson 17:26:44 -efelten 17:26:45 - +1.646.654.aagg 17:26:46 ... and will do so now 17:26:47 johnsimpson has left #dnt 17:26:51 Zakim, list attendees 17:26:51 As of this point the attendees have been tl, aleecia, Rigo, npdoty, +1.202.629.aaaa, John_Simpson, Vincent, +1.919.388.aabb, anna_long, +1.646.654.aacc, WileyS, +1.516.695.aadd, 17:26:54 tedleung has left #dnt 17:26:55 ... fielding, +1.617.733.aaee, +1.415.520.aaff, [Microsoft], dsinger, +1.646.654.aagg, justin_, alex, +1.813.366.aahh, +1.415.520.aaii, +1.206.369.aajj, Joanne, +2930aakk, ifette, 17:26:55 ... +1.202.326.aall, +1.202.496.aamm, [IPcaller], rvaneijk, +1.949.573.aann 17:27:01 -npdoty 17:27:10 rrsagent, draft minutes 17:27:10 I have made the request to generate http://www.w3.org/2012/03/21-dnt-minutes.html npdoty 17:27:12 -Vincent 17:27:15 thanks npdoty , rigo and ifette for helping me scirbing :) 17:27:17 -??P11 17:27:33 thanks to vincent for keeping up on a very fast-moving call! 17:27:57 chair: aleecia 17:28:06 meeting: Tracking Protection Working Group teleconference 17:28:07 that did seem very fast to me :) 17:28:13 rrsagent, make logs public 17:28:54 rrsagent, draft minutes 17:28:54 I have made the request to generate http://www.w3.org/2012/03/21-dnt-minutes.html npdoty 17:29:15 -tl 17:29:16 T&S_Track(dnt)12:00PM has ended 17:29:16 Attendees were tl, aleecia, Rigo, npdoty, +1.202.629.aaaa, John_Simpson, Vincent, +1.919.388.aabb, anna_long, +1.646.654.aacc, WileyS, +1.516.695.aadd, fielding, +1.617.733.aaee, 17:29:16 ... +1.415.520.aaff, [Microsoft], dsinger, +1.646.654.aagg, justin_, alex, +1.813.366.aahh, +1.415.520.aaii, +1.206.369.aajj, Joanne, +2930aakk, ifette, +1.202.326.aall, 17:29:16 ... +1.202.496.aamm, [IPcaller], rvaneijk, +1.949.573.aann 17:29:24 rigo has left #dnt 17:45:45 mischat has joined #dnt 17:58:38 mischat_ has joined #dnt 18:41:33 mischat_ has joined #dnt 19:12:26 KevinT has joined #dnt 19:15:15 tl has joined #dnt 20:21:06 tl has joined #dnt 20:52:24 tl has joined #dnt 20:59:40 mischat has joined #dnt