W3C

Tracking Protection Working Group teleconference

25 Apr 2012

See also: IRC log

Attendees

Present
+1.703.265.aaaa, WileyS, [Microsoft], fielding, robsherman, rvaneijk, ifette, aleecia, +8015aabb, +1.212.380.aacc, bilcorry, hwest, +1.813.366.aadd, alex, Cyril_Concolato, +1.202.835.aaee, Bryan_Sullivan, +1.415.552.aaff, tl, +1.202.744.aagg, vinay, Chapell, +1.202.494.aahh, +385221aaii, tedleung, +1.202.326.aajj, +1.630.489.aakk, dsinger, vincent, +1.212.565.aall, +1.202.744.aamm, +1.202.660.aann, efelten, +31.62.125.aaoo, +1.415.200.aapp, dsriedel
Regrets
justin, erica, Nick
Chair
aleecia
Scribe
bilcorry

Contents


<aleecia> http://www.w3.org/2012/04/10-dnt-minutes

<aleecia> http://www.w3.org/2012/04/11-dnt-minutes

<aleecia> http://www.w3.org/2012/04/12-dnt-minutes

bryan: can we identify the attendees list and observers

<ifette> i think he's asking for Members: <blah blah blah> Observers: <blah blah blah>

bryan: I'm not familiar with everyone that is there, want to know who is members and who is observers. Identity in the minutes who is members and observers

aleecia: I'll make a note for nick, no problem with doing that, will keep open for another week

<aleecia> nick, to add observer status for folks in minutes

<ifette> ACTION: npdoty to differentiate observers from members in attendee list for DC minutes [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action01]

<trackbot> Created ACTION-189 - Differentiate observers from members in attendee list for DC minutes [on Nick Doty - due 2012-05-02].

<aleecia> Irony: call dropped for me

Action items review

<aleecia> https://www.w3.org/2011/tracking-protection/track/actions/overdue

aleecia: quite a few overdue actions to go through

<JC> Amy is out

aleecia: first one is kathy, not on call
... heather is working on action 156

heather: done, erica actually did it

aleecia: update as closed
... 158 is tom

<aleecia> action-158?

<trackbot> ACTION-158 -- Thomas Lowenthal to revisit text on logged-in/consent to override DNT preference -- due 2012-04-24 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/158

tom: I have a number of overdue items, none done yet, need 10 days to finish all of them

<ifette> ACTION-158 due 2012-05-05

<trackbot> ACTION-158 Revisit text on logged-in/consent to override DNT preference due date now 2012-05-05

<WileyS> All of my items (save one) are completed and moved to pending review (the one open item I've sent to draft text to Ninja for her review)

aleecia: david singer action 159

<aleecia> action-159?

<trackbot> ACTION-159 -- David Singer to draft shorter language to describe conditions for consent (with npdoty) -- due 2012-04-24 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/159

david: with nick, need another week for all of these actions

<tl> Thanks, ifette.

<WileyS> Another draft released last night for "conditions for consent"

<aleecia> action-182

<aleecia> action-182?

<trackbot> ACTION-182 -- David Singer to do a dependency check (TPE-Compliance) -- due 2012-04-20 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/182

<aleecia> action-183?

<trackbot> ACTION-183 -- David Singer to double check API lannguage -- due 2012-04-20 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/183

<tl> ACTION-167 due 2012-05-05

david: 183, need a week as well

<trackbot> ACTION-167 Come up with updated text for a DOM api to allow access to DNT state due date now 2012-05-05

<aleecia> action-181?

<trackbot> ACTION-181 -- David Singer to fix the language in the spec where necessary to reflect "permitted uses" and "user-granted exceptions" -- due 2012-04-19 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/181

<tl> ACTION-175 due 2012-05-05

<tl> ACTION-177 due 2012-05-05

<trackbot> ACTION-175 Draft API method for sites to remove, a la removeTrackingException() due date now 2012-05-05

<tl> ACTION-178 due 2012-05-05

<trackbot> ACTION-177 Add an API to let a site request a web-wide exception due date now 2012-05-05

david: 181 will be done in a week

<trackbot> ACTION-178 Talk with Shane about an updated compliance proposal due date now 2012-05-05

<tl> ACTION-180 due 2012-05-05

<trackbot> ACTION-180 Provide a text update to section 4.3 to resolve issue 116 and ISSUE-84 due date now 2012-05-05

david: will update dates on my end

<tl> ACTION-185 due 2012-05-05

<trackbot> ACTION-185 Draft specific field proposal for optional auditors (with Kevin) due date now 2012-05-05

<WileyS> David, it was for you to review the User Granted API to confirm web-wide exceptions can leverage the existing structure (but with a different wild card location)

<tl> ACTION-187 due 2012-05-05

<trackbot> ACTION-187 Write text for ISSUE-99 around identity providers as first or third parties, DUE May 5 2012 due date now 2012-05-05

<aleecia> action-160?

<trackbot> ACTION-160 -- Peter Eckersley to work with Shane on common ground on unlinkability normative/non-normative text -- due 2012-04-24 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/160

<WileyS> Has not occured yet

<dsinger> action-159: due 2012-05-05

<trackbot> ACTION-159 Draft shorter language to describe conditions for consent (with npdoty) notes added

<ifette> dsinger, no colon

<aleecia> action-162?

<trackbot> ACTION-162 -- Erica Newland to remove note from section 5.3, now that we have consensus -- due 2012-04-18 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/162

<dsinger> action-183: due 2012-05-05

<trackbot> ACTION-183 Double check API lannguage notes added

<ifette> dsinger, using a colon just adds a comment. no colon to change the date

<dsinger> action-182: due 2012-06-15

<trackbot> ACTION-182 Do a dependency check (TPE-Compliance) notes added

<ifette> ACTION-159 due 2012-05-05

<trackbot> ACTION-159 Draft shorter language to describe conditions for consent (with npdoty) due date now 2012-05-05

heather: action 162 hasn't happened yet, can take action

<ifette> dsinger, ...

<aleecia> action-163?

<trackbot> ACTION-163 -- Roy Fielding to explain confusion or an alternative to text explaining the interaction with existing user privacy controls -- due 2012-04-21 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/163

<dsinger> action-181: due 2012-05-05

<trackbot> ACTION-181 Fix the language in the spec where necessary to reflect "permitted uses" and "user-granted exceptions" notes added

<dsinger> action-176: due 2012-05-05

<trackbot> ACTION-176 Update site-specific exceptions text to note that embedded third-party javascript may make the call rather than the first party (even though it probably shouldn't do so without working it out with the publisher) notes added

fielding: 163 haven't done it yet, next week

<ifette> dsinger, your updates aren't working (using a colon just ads a comment. omit the colon)

aleecia: early next week or this weekend for 163

<dsinger> action-182 due 2012-06-15

<trackbot> ACTION-182 Do a dependency check (TPE-Compliance) due date now 2012-06-15

<fielding> action-163: due next week

<trackbot> ACTION-163 Explain confusion or an alternative to text explaining the interaction with existing user privacy controls notes added

<ifette> ACTION-166 due 2012-05-01

<trackbot> ACTION-166 Draft updated text on definitions of "collection" and similar terms "Data collection, retention, use, and sharing" (with fielding) due date now 2012-05-01

<aleecia> action-170?

<trackbot> ACTION-170 -- Heather West to provide an alternative approach to well-known URI for resources that are used in both first-party and third-party contexts without changing the resource URI -- due 2012-04-19 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/170

<tl> Aleecia, if you refresh, you should be able to skip my items.

<dsinger> action-183 due 2012-05-05

<trackbot> ACTION-183 Double check API lannguage due date now 2012-05-05

heather: 170 I will need more time on that, I will update my dates

<aleecia> action-171?

<trackbot> ACTION-171 -- Roy Fielding to insert the tk/uri hybrid into the tracking-dnt draft -- due 2012-04-19 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/171

roy: 171 still not done, but should be done later today

<dsinger> action-181 due 2012-05-05

<trackbot> ACTION-181 Fix the language in the spec where necessary to reflect "permitted uses" and "user-granted exceptions" due date now 2012-05-05

<ifette> ACTION-165?

<trackbot> ACTION-165 -- Ian Fette to draft example text around using the Geolocation API for non-normative text on "Geolocation compliance" section in Compliance -- due 2012-04-25 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/165

<dsinger> action-176 due 2012-05-05

<trackbot> ACTION-176 Update site-specific exceptions text to note that embedded third-party javascript may make the call rather than the first party (even though it probably shouldn't do so without working it out with the publisher) due date now 2012-05-05

ifette: 173 it's done, 165 also done

<WileyS> Draft is with Ninja

shane: 179 draft is with Ninja

<fielding> npdoty, I just sent JC's notes on TPE breakout in DC to the list; hopefully we can add them to the last day of minutes

aleecia: problematic that action items remain open call to call, please get them done on time, thanks to those who got things done

<aleecia> june 20-22

<JC> You're welcome

<JC> And possible reception

aleecia: thank you microsoft. fb, google, yahoo are sponsors, thank you. more welcome.
... more sponsors are welcome

<IAB-Chris> btw- I don't seem to be getting emails from this group (chris.mejia@iab.net) - can someone please help get me added?

<rvaneijk> great, thnx for all who are making this event possible

<IAB-Chris> thanks- will do

aleecia: chris, talk to nick

<tl> +1

Testing / Transitioning

aleecia: transitioning to DNT, new topic to group. Am I seeing problems that do not exist? Companies want to test, sending/receiving DNT, but don't want it considered live for compliance? Need testing flag?

<WileyS> Exit Criteria out of CR - need to articulate this in more detail

shane: picking up convo from DC, need to discuss exit criteria. Don't think we (Yahoo) need testing flag, but need web browser with implementation

roy: don't see any need for testing flag in protocol

ian: don't know if needs to be in protocol given browsers, no actual enforcement in browsers. from compliance side, no idea. if browsers display anything, don't know yet, open issue for now

kevin: most web development in beta environment, customers don't have access

<WileyS> +1 to what Ian said

ian: this isn't as simply as pushing one new file, must make sure all servers doing correctly. can't launch over night, staged rollout needed

roy: will agree/disagree, will required staged rollout. rollout will be visible to user, can always turn back off

<WileyS> Could have negative UI treatment and could cause consumer harm

<IAB-Chris> all major technology changes take time to test and production test before going live-- nothing like this is trivial

<hwest> fielding, that would require that the user connect those two events (turning DNT on, stuff breaking) and I'm not sure that'll happen

??: it will take a while to prove is working in production, this is a test period, then change to show is now live

<fielding> It will almost certainly have negative UI treatment, no matter how much we test

<dsinger> I agree, I think sites can put up a disclaimer saying that DNT is in roll-out

<IAB-Chris> security testing will take a while, to protect consumers and business

<IAB-Chris> that's just security testing...

shane: there is no way to know what UI treatment will have, want to test external to see impact, more slowly test to make sure have clean experience
... speaking to response header, poorly form response header, could be poor user experience, why we need browser and full spec before testing
... we need time for rollout

<IAB-Chris> time + full cooperation/access from browser company engineers

<IAB-Chris> to test, debug, etc.

ian: how will people indicate to users that it's testing, "we're honoring your preference" but then it's testing given how strict this group has been. how will message to users in testing mode

<WileyS> Agreed - don't beleive you can "test" in production

<WileyS> believe

JC: have a question about certification - how will browser indicate it complies with spec, level A, B, C?
... how know when browsers ready for DNT?

<fielding> this discussion is three months premature .. we don't even have a protocol yet.

<WileyS> Query structure

<WileyS> We covered this already

JC: programmatically?

<IAB-Chris> embedded device browsers = more than a few, btw

<JC> Difference between supports and compliant

shane: agree with JC completely, part of conversation on DNT null, should be able to poll to see if browser will respond to DNT stimulus

<tl> I think our current API(s) can be used for this purpose.

<aleecia> does that cover you, tl?

<IAB-Chris> and there are multiple variances of browsers, for different devices (i.e. embedded in devices like mobile phones, connected tv's, etc.) = LOTS of testing

<aleecia> think that was your point...

<tl> -q

roy: you can test to see if API exists, nothing we can add to spec

ian: API on browser has prefix (-webkit), non-std, then when ready, remove prefix

<tl> +1

aleecia: transitioning isnt' thought out all the way yet

<ifette> no one answered my quest

<ifette> question

aleecia: see we'll be fine with what we have already

<WileyS> Ian, I don't believe there is a way to message to consumers that you're testing in production

<fielding> page content

ian: no one said how will indicate testing mode

<tl> +1 to fielding

<Chapell> I'm particularly concerned about those entities that really can't message users directly

<tl> Sometime, when you want to communicate to users, you just need to -- you know -- communicate with them.

<Chapell> can we think about a safe harbor for a period of time?

<WileyS> I don't believe large entities will modify the page content of every page to convey they are in "test mode"

<fielding> We are not regulators!

<tl> That sounds like an enforcement issue.

aleecia: can't offer safe harbor in stds group, no power to do so, can work with local regulators, not a W3C issue

<IAB-Chris> I'm not sure we can say its not an issue, until we vet that with engineers from all browser company's (or am I missing something?)

<Chapell> ask chris and ed to pinky swear us that they won't go after legit attempts to comply (:

Permitted uses

aleecia: now talk about permitted uses with more detail

<aleecia> A. Non-associated data

<aleecia> Which is: Data that cannot be associated with a user

<aleecia> General sense: it is fine to use, with exact wording to follow. Any new useful thoughts here, or are we waiting for text?

aleecia: non-linkable data, peter and shane working on

<IAB-Chris> can you please re-state the idea?

aleecia: anyone feel this is non-controversial?

<tl> The only controversial aspect is how hard it must be to "link" back to users.

<rvaneijk> david, the idea is to remove the unique identifiers

<fielding> it's not out of scope because of the way all requirements are written in the spec

<rvaneijk> I think that is in scope

<tl> rvaneijk: NO!

<tl> This data may be "about" users, just not connectable with individuals.

<WileyS> I disagree with the proposal

<WileyS> Peter - we will definitely go through a few cycles

<dsinger> I mean, the data we are concerned about is "tracking data", which is necessarily about someone. we need a definition! that definition should lay out, for sure, why non-linkable data is out of scope and what it constitutes, but it's not an exception.

peter: describe approach in proposal with shane. you have to be sufficiently transparent, or linkable

<tl> -q

<fielding> +! dsinger

jeffery: I would want an explanation of what it means to be unlinkable and what may be used

<WileyS> Disagree with external verification stance

<tl> -q

<aleecia> Protocol information

<aleecia> Example: standard log files, not including cookies. Can we be specific here?

<aleecia> General sense: it is fine to keep log files before processing for a short span of time. Discussion was about 2 - 6 weeks retention, with some participants planning to speak more internally. Are we ready to reach a decision?

aleecia: must easier to discuss when have text. we have general agreement.
... next, protocol information. discussed in DC. want it crisper.

<WileyS> No to arbitrary timeframes

aleecia: talking about std log file for 2 - 6 week retention period. cookies are considered different.

<tl> +1

ian: didn't think cookies were something different.

<dsinger> Now, this IS an exception. You're retaining data. I suggested a "transient data exception" a few months back, and got a very negative reaction, IIRC

rob: logged-in vs. logged out makes sense to consider, different expectation

<IAB-Chris> general concern: 2-6 weeks is not generally sufficient for regression security analysis of data that the industry uses to find nefarious actors (this kind of analysis protects consumers)

aleecia: this is about raw log files

rob: looking at what a generic site is doing, they may want longer time.

<vincent> IAB-Chris, this is just raw logs you may still have some data for permitted uses

tom: disagree with rob and chris. any logs stored, shouldn't do any anaylsis on them. gives a short while to process logs.

<vincent> +1 to tl

<IAB-Chris> we should vet that assertion with actual security professionals who do this day-in, day-out

JC: should focus on specific compliance scenario. agree with processing period. can't say logs go away in two weeks then can't handle fraud.

<robsherman> When we talk about "processing" log files, does that contemplate that the log files will be anonymized/aggregated?

<IAB-Chris> I believe that raw log files ARE used for security and fraud purposes

<hwest> I think that's standard security practices, aleecia

JC: should we find out exploit after that fraud, need to go back. microsoft keeps log files for more than three months.
... will do more reseach on this to understand current practices.

<IAB-Chris> shouldn't we be talking about restricting use (for privacy concerns), rather than limiting time of storage (for security/fraud analysis)?

<aleecia> we're going to be moving to take an action item to write proposals on this Very Soon

<Zakim> dsinger, you wanted to discuss the brief discussion at http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0526.html

tom: every day webserver store logfiles, every day processes log at 5am and sends data to security server. misunderstanding of what this is about.

david: period of collecting raw data and the processing of it

aleecia: asking for 1 or more people to take action item for this

<tl> Me, of course.

<WileyS> I'll take the Use Protection approach

<IAB-Chris> I was there in DC-- I get it; I'm just not necessarily in agreement and would encourage the group to get expert advice from the security community, before proceeding with potentially limiting policy

<tl> Agreed.

<aleecia> action items for ian, tl, shane

<tl> Likewise.

<ifette> ACTION: ifette to write up proposal for allowed uses for protocol data in the first N weeks [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action02]

<trackbot> Created ACTION-190 - Write up proposal for allowed uses for protocol data in the first N weeks [on Ian Fette - due 2012-05-02].

<aleecia> aleecia to create issue

<ifette> ISSUE: how should protocol data be allowed to be used in the first N weeks?

<trackbot> Created ISSUE-142 - How should protocol data be allowed to be used in the first N weeks? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/142/edit .

<ifette> ACTION-190: addresses ISSUE-142

<trackbot> ACTION-190 Write up proposal for allowed uses for protocol data in the first N weeks notes added

<aleecia> Contextual Content / Ad serving

<aleecia> Is this special in any way? Do we actually need anything here beyond a non-normative statement?

<ifette> ACTION: lowenthal to write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action03]

<trackbot> Created ACTION-191 - Write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [on Thomas Lowenthal - due 2012-05-02].

aleecia: discuss permitted use - contextual ad serving. Do you need anything special here beyond billing, auditing, fraud prevention?

<ifette> ACTION: wiley to write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action04]

<trackbot> Created ACTION-192 - Write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [on Shane Wiley - due 2012-05-02].

<rvaneijk> aleecia, please repeat

<tl> action-192 due 2012-05-05

<trackbot> ACTION-192 Write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 due date now 2012-05-05

<IAB-Chris> add "security/consumer protection" to "billing, auditing and fraud prevention"?

<aleecia> the question I have is: do we need a specific permitted use for contextual content & ad serving? isn't this covered elsewhere?

alex: the first party has an ad, the ad is served by someone (party), ad is for party (coke), analytics another party. 1 ad has N parties. If click on ad, who becomes first party?

tom: user expectations says coke is first party. different parties are service providers.

aleecia: should have another example in non-normative

<Zakim> bryan, you wanted to ask if this permitted use is part of the 1st party rights, as the ability to delivery contextual content is a need of 1st parties

bryan: is the assumption that if it isn't explicit permitted use that its covered by third party?
... can't use contextual information of device if third party?

<tl> -q

<fielding> AFAIK, we already agreed that contextual ads are okay with DNT

aleecia: contextual ad is NYT fuzzy puppies article with fuzzy puppies ad

chris: contextual ads/content, don't need data across multiple sites, but need data where they are right now

<IAB-Chris> semantic and contextual is not tied to the user-- its tied to the page content

<bryan> the need of a 3rd party to ensure that the content is compatible with the device requires the ability to use context to prepare that content. So the term "contextual content" is not clear enough (or was not to me).

chris: DNT shouldn't cover individual data about where they are at this moment. users don't want to be tracked across multple sites

<hwest> Agree with Chris, Roy, Tom, Aleecia - we've already thought about contextual ads

roy: no one has ever ask for contextual ads to be covered by DNT, do we need this discussion?

<tl> +1: indeed, I keep using context ads as an example.

<IAB-Chris> contextual based ad serving (alone) doesn't tie at all to a particular user

<bryan> i.e. if a 3rd party delivers markup that breaks the user experience because they could not use user-agent details and other device capabilities info to tailor the content, then users will just turn off DNT in response

<tl> bryan, that's not the question.

aleecia: if this is covered by other areas, don't need special treatment. does this need to be permitted use?

<Marc> That was my point - we need it because we have not defined tracking anywhere, no?

david: we haven't written down what we mean by tracking. use of real-time data isn't in scope.

<fielding> Do you mean that third party needs enough information about the page in order to provide contextual ad?

<dsinger> I find it hard to view real-time data as "tracking", i.e. data that's evident in real-time can be used in real-time, it's whether it is *remembered* that we care about. Data in the URL, IP address, geo-loc based on IP address. Once you read or write to a "database", bingo, you're in scope. It might be *imprudent* to do a lot of this, it might freak users, but it's not tracking.

rob: this is bound up in first/third party. at facebook, don't do contextual ads on other peoples sites, but contextual content.
... suggest we leave as open issue

marc: without definitions, we need a placeholder

<bryan> the point I was trying to make (somewhat obscurely perhaps), is that 3rd parties have a similar need as 1st parties to use context in basic ways, independent of DNT

<aleecia> D. Public purposes

<aleecia> A late-added and not yet defined category. Examples include IP protection and E911. Unclear if this needs special handling, or are all examples already covered by existing law?

<WileyS> I didn't give thos examples

aleecia: not sure what this means, brought up by Shane

<tl> I do not think that we need any additional text or discussion on this topic.

<WileyS> Most of what we're discussing in the Compliance document is already covered by country laws.

aleecia: wondering if need to discuss or take as a new permitted use

<tl> I do not think we should add a permitted use.

marc: reason inserted, in the FTC report distinguishes public purpose such as IP protection (page 39)

<Zakim> tl, you wanted to say -1

tom: don't think we need to add anymore text on this topic. think all uses covered by existing law. doesn't make sense to add IP protection.

aleecia: if FTC is permitted uses and law together, we separated that out

<Marc> Will do. Thanks.

aleecia: marc, please give more thought, that would be useful

<WileyS> I don't believe this was in our draft submitted in DC (Public Purpose)

<aleecia> E. Third party auditing

<aleecia> F. Financial Logging

aleecia: now talk about third-party auditing and financial logging
... will work better when we know how it works currently
... getting a sense of what information will be most useful so can get other folks on a future call

<tl> Absolutely!

<tl> +1

aleecia: help if we had outsourcing agency? auditors act on behalf of third parties?
... is data the same for auditing and financial logging?

<IAB-Chris> still digesting

roy: depends on what they're auditing

<WileyS> Response header already allows external auditing

<WileyS> This group should not be building audit standards for activities behind the firewall (major scope creep)

roy: auditing audience = unique users. auditing campaign locations = referral data.
... usually picked up by auditing mechanisms
... there are other auditing mechanisms that don't involve advertising, don't know much about them

<WileyS> My apologies - thought you had skipped the "3rd Party Audit" Permitted Use conversation and had moved to the broader external audit discussion

<IAB-Chris> does "3rd party auditing" also cover ad verification services?

aleecia: brings up topic of third-party working on behalf of other third-party

<WileyS> Yes - 3rd Party Audit is meant to cover ad verifications services, such as those from Double Verify

<fielding> I don't know if auditors will be willing to fully silo data given that they are trying to ensure the nature of the user agent

<IAB-Chris> right, thanks for the clarification Shane

alex: main problem with auditing and third parites, given third-party spread across sites, can't audit cross sites with DNT:1 unless have mechanism to allow it

<IAB-Chris> could it also be a SOX auditor?

heather: speculating that third-party working on behalf on third-party will help and is a special case

<fielding> hwest is correct

<rvaneijk> alex, is campaign calibration an auditing activity?

<IAB-Chris> ad verification companies audit EVERYTHING related to an ad impression

<IAB-Chris> all targeting criteria

shane: many acting as third-parties do have ad verification services thrusted on them, we call it out separately in the proposal, it's not specific to financial logging. this concept is also financial and quality as well

<alex> how do you define "campaign calibration"

shane: looking at the quality elements, is called out separately, to ensure freq capping, user wasn't impressed on ads that shouldn't have been and was on those they should have

<rvaneijk> alex, tell me, it is a term you used in DC.

<IAB-Chris> to further clarify, ad verification CAN be tied to financial, as it relates to the contract between advertiser and publisher, and thus to payment

shane: do need it for continuity and quality delivery. need across sites

<IAB-Chris> btw, ad verification guidelines have been published by the MRC and IAB

aleecia: IAB has information about this

<alex> rvaneijk, need to look at context, will get back to you

<IAB-Chris> lots of auditing works to protect consumers

<WileyS> Peter, please explain "danger" in this context

peter: there is a real danger that industry designs auditing, data ends up shared widely because it helps to audit stuff.

<IAB-Chris> per the ad verification guidelines, data cannot be re-shared

<WileyS> We work with them daily - I can reach out and ask if they will join W3C to participate in this discussion

<aleecia> or even just on a single call

<aleecia> let's talk

roy: might be appropriate to focus more on not retaining personal identifiable parts beyond timeframe. auditing I know about is focused on 1st/3rd party obligations. don't care about personal details. don't using backend processes.

<WileyS> Disagree on Ad Verification services

<Zakim> tl, you wanted to say that DNT doesn't become business as usual just because some things take advantage of business as usual

<tl> -q

shane: ad verification services do retain data for entire campaign

<IAB-Chris> in digital advertising, the ad impression is the "currency" (what's charged for); as such, anything related to how its charged for (including targeting data) could be audited in a financial/SOX audit

aleecia: can anyone speak to non-ad auditing?

heather: speculating that it's smaller companies that outsourced "is my widget working?"

rob: outside my expertise. print publications have auditing.

<fielding> audience metrics

<WileyS> I believe Akamai also performs some level of auditing on their edge serving services (as a 3rd party)

<WileyS> But this could fall under "Product Improvement"

aleecia: Akamai, that is a good point. Should have them come talk to us.

<IAB-Chris> traffic auditing is common for telcos

<fielding> another common audit is reach -- is a public announcement actually reaching the public, common in hiring requirements

<rvaneijk> IAB-Chris, is that legal in the EU?

<pde> hwest, I'd be surprised if many small widget-making startups can afford to have outside auditing of their widgets

aleecia: expect next call with be on DNT document

<hwest> pde, it's cheaper than hiring in the expertise

<IAB-Chris> rvaneijk- not sure I understand your question?

<hwest> (at least in the short term)

<pde> I'd imagine they have a few engineers in a room who both make the widgets and try to test that they actually work

<vincent> IAB-Chris, what type of traffic are you referring to?

<WileyS> Regrets for next week - I won't be on the call :-(

aleecia: will summarize June 20-22 meeting on mailing list. thanks for making the call.

<fielding> search for "online audit service"

<aleecia> thanks, all

<pde> hwest, that would be true if it was a substantially different skillset (and of course I could be convinced by data :)

Summary of Action Items

[NEW] ACTION: ifette to write up proposal for allowed uses for protocol data in the first N weeks [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action02]
[NEW] ACTION: lowenthal to write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action03]
[NEW] ACTION: npdoty to differentiate observers from members in attendee list for DC minutes [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action01]
[NEW] ACTION: wiley to write up proposal for allowed uses for protocol data in the first N weeks for ISSUE-142 [recorded in http://www.w3.org/2012/04/25-dnt-minutes.html#action04]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/05/01 05:41:14 $