W3C

Tracking Protection Working Group teleconference

30 May 2012

Agenda

See also: IRC log

Attendees

Present
aleecia, npdoty, eberkower, samsilberman, efelten, hefferjr, Anna_Long, BrendanIAB, Chris_IAB, ninjamarnau, aclearwater, WileyS, Joanne, Dan_Caprio, schunter, vincent_, [Google], jmayer, vinay, bilcorry, justin, [Apple], hwest, fielding, hefferjw, johnsimpson, tedleung, Chris_PedigoOPA, Susan_Israel, [Microsoft], JC, dsriedel, johnsimpson, +1.917.318.aagg, +1.917.318.aahh, +1.917.318.aaii, ifette, dsinger, erikn
Regrets
chester, sstamm
Chair
aleecia
Scribe
ninjamarnau

Contents


<npdoty> chair: aleecia

Selection of scribe

<npdoty> scribenick: ninjamarnau

Any comments on minutes, http://www.w3.org/2012/05/09-dnt-minutes and http://www.w3.org/2012/05/16-dnt-minutes

aleecia: first item: Comments on the minutes?
... if names and institutions should be changed, please contact us.

<npdoty> from last week and just posted last night, these minutes are also available http://www.w3.org/2012/05/23-dnt-minutes

Quick check that callers are identified

Review of overdue action items: https://www.w3.org/2011/tracking-protection/track/actions/overdue

aleecia: item: overdue action items:

<ifette> ACTION-187 due 2012-06-06

<trackbot> ACTION-187 Write text for ISSUE-99 around identity providers as first or third parties, DUE May 5 2012 due date now 2012-06-06

<npdoty> action-196 due today

<trackbot> ACTION-196 Draft text on whether url shorteners are first or third parties due date now today

<npdoty> action-160?

<trackbot> ACTION-160 -- Peter Eckersley to work with Shane on common ground on unlinkability normative/non-normative text -- due 2012-05-23 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/160

<ifette> already updated

<ifette> ACTION-187?

<trackbot> ACTION-187 -- Ian Fette to write text for ISSUE-99 around identity providers as first or third parties, DUE May 5 2012 -- due 2012-06-06 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/187

<ifette> need 1 week

<npdoty> ACTION: Wiley to follow-up with Peter or otherwise post current draft to the list for Unlinkability due 6/4 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action01]

<trackbot> Created ACTION-207 - Follow-up with Peter or otherwise post current draft to the list for Unlinkability due 6/4 [on Shane Wiley - due 2012-06-06].

<Chris_IAB> Nick, how do we get ISSUE 143 on the agenda for a call before our next face-to-face; industry feels this is a critical component for consumer education and for industry to comply...

WileyS: Action 160 will be drafted soon. Probably until Monday. Working together with Peter.

<npdoty> Chris_IAB, let's follow up with the chairs offline for agenda issues

<WileyS> I'm about a quarter of the way through the document

aleecia: action 178 - WileyS and Tom wanted to draft something that includes the two proposals. Tom was not able to do this and dropped out of it. I asked some people to step in. In the meantime WileyS and I started working on this.

<WileyS> I'm still hoping to have it out by the end of the week

aleecia: action 178 can be closed unless someone steps in.

<WileyS> Aleecia - I have in IRC :-)

<aleecia> Great, let's talk on friday

<npdoty> action-150?

<trackbot> ACTION-150 -- Ninja Marnau to analyse EU legal implications of exceptions to (thissite, *) -- due 2012-05-04 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/150

<npdoty> action-174?

<trackbot> ACTION-174 -- Ninja Marnau to write up implication of origin/* exceptions in EU context -- due 2012-05-04 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/174

<npdoty> ninjamarnau: apology, was too busy for the last 5 weeks. would probably need 1 more week

<npdoty> aleecia: okay, but if we can't do this in one more week we may have to close these issues

<npdoty> action-150 due 6/6

<trackbot> ACTION-150 Analyse EU legal implications of exceptions to (thissite, *) due date now 6/6

<npdoty> action-174 due 6/6

<trackbot> ACTION-174 Write up implication of origin/* exceptions in EU context due date now 6/6

<susanisrael> susan israel is also on the call

<Chris_IAB> FYI TO ALL: the IAB will be hosting a DNT education and feedback industry event on June 12th in NYC. We have invited Aleecia to present in her capacity as co-chair to this working group (still waiting for a reply); Shane Wiley will be presenting (confirmed); Mozilla was also invited (waiting for confirmation); industry panel will discuss implementation issues; If you are interested in attending this event or would like more info, please email chris.mejia@iab

aleecia: Action 170 on hwest?

<fielding> is it still needed?

hwest: I need one more week. They are in progress.
... I still want to include some changes

<npdoty> action-179?

<trackbot> ACTION-179 -- Shane Wiley to draft section on seriousness of the request for a user-granted exception (with ninja) -- due 2012-04-19 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/179

<WileyS> Draft already sent

<npdoty> action-179 pending review

aleecia: Action 179 should go to pending review

Reminders on f2f dates

<aleecia> https://www.w3.org/2002/09/wbs/49311/tpwg-belle-f2f/

aleecia: reminders for the face2face. Please register your coming. We need a sense of how many people will join and observe.

<jmayer> Thanks for the rich discussion of press attendance!

aleecia: same policy as last time. as long as there is space, we wont turn away observers.
... want to talk about the compliance side

<npdoty> aleecia: haven't turned anyone away except for members of press

aleecia: some people came up with proposals to bridge the gap.

<jmayer> The chairs just unilaterally announced that press cannot attend the next meeting. I continue to strongly object.

aleecia: if you have proposals please get in touch with me before the f2f, so I can prepare the agenda.

<Chris_IAB> Aleecia/Nick- please contact me offline about compliance and the agenda for face-to-face; industry may have a proposal to present

<jmayer> Apple's insane press policy has induced a race to the bottom on transparency. Awesome.

<JC> Race to the bottom is a bit extreme

aleecia: Regarding the press issue. We discussed on the mailing list that we have people who are not allowed to speak with press present. thhis is a pretty strong argument against press.

<JC> There is plenty of transparency

<jmayer> dsinger, JC - I didn't hear any substantive engagement on ways to accomodate press with limited quoting and attribution. Participants just regurgitated the "chilling effects" talking point.

<JC> Happy to support formal briefings

<jmayer> I explained the substantial benefits on the mailing list. Again none of the industry participants engaged.

Introduction of http://www.w3.org/2011/tracking-protection/global-considerations.html

<aleecia> http://www.w3.org/2011/tracking-protection/global-considerations.html

<dsinger> Having the press present would have a substantial chilling effect on free discourse, as well, even without corporate restrictions

WileyS: Aleecia, can you share what the status of the document of global considerations is?

<dsinger> what is the status of this document? (Normative or Informative?) I assume Informative?

<npdoty> WileyS: curious about process, how to include text, Yahoo! folks interested in contributing

<WileyS> Sounds good - thank you

<dsinger> I see no upside at all to having press present. None. Perhaps we could hear some? IMHO we are much better off briefing them.

<npdoty> aleecia: possible to publish as a note

aleecia: We had things moving when we moved parts from the compliance doc to the global considerations doc. Everyone is welcome to participate. We have a separate mailing list for this document. I do not have particular strong opinion of people not in the working group taking part. But they should have read the intellectual property policy of W3C.

<Joanne_> is the considerations list address published?

<aleecia> http://www.w3.org/2011/tracking-protection/global-considerations.html

<fielding> it was not announced on our list

<dsinger> why are we on a separate list?

<johnsimpson> same here. didn't know there was a list

npdoty: that separate mailing list was not used until now.

aleecia: It does make sense to advertise the mailing list publicly on the DNT mailing list.

<dsinger> can we stay on one list unless the traffic gets unmanageable?

<johnsimpson> or if I did there was i forgot about it

<dsinger> is there at least one instance of such a person?

<justin> dsinger, *gets* unmanageable?

aleecia: as long as only a subset of people is interested, separate mailing lists are the preferred way.

<npdoty> aleecia: intended to be an informative document

aleecia: help, pinpointers for international implementation. Not meant to create new requirements.

<npdoty> the intended separate list (without any activity) for global considerations discussion was/is: http://lists.w3.org/Archives/Public/public-tracking-international/

<npdoty> I apologize that that wasn't announced on public-tracking; I thought it was and I'll do so today

Revisit action-190 (Allowed uses of protocol data in first N weeks

<fielding> ACTION-190?

<trackbot> ACTION-190 -- Ian Fette to write up proposal for allowed uses for protocol data in the first N weeks -- due 2012-05-02 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/190

<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2012May/0299.html

aleecia: ACTION 190 on protocol data. There was discssion on the mailing list.

<WileyS> Proposal in DC was that data must be moved to "unlinkable" within this abitrary time period

<WileyS> I'm not supporting that - that was the proposal

aleecia: there was confusion on first parties. The six weeks deadline is meant to figure out what kind of data the party has, and if DNT applies.

<justin> Unlinkable is a subset of compliant, not sure there's an argument here.

<npdoty> is the suggestion that we could put in this draft text and know that we may have to update it depending on the outcome of compliance discussions?

WileyS: We need to define the permitted uses before this. Can I come back to this topic when we know more about what compliance means?

<WileyS> Justin, agreed - unlinkability moves data outside of the scope of DNT so its a bit of red herring. We should simply state this and move on. The focus now should be what is permitted outside of "unlinkability"

ifette: We figured it could be hard for people to comply with DNT from day 1. Original proposal was to extend the time to figure out what you need to do to comply and be able to prove this in an audit.

jmayer: I think we have different opnions on restrictions on collection. We have some agreement on data minimization and the idea of permitted uses.

<npdoty> jmayer: and even on the lenient side of data minimization or collection, it could still help to get implementation to have a 6-week grace period

WileyS: We talk about this time frame before permitted uses. I try to figure out what these 6 weeks buy me.
... what is the physical implication of this time frame?

<justin> I'm still confused as to whether this proposal is just about temporary logging (as aleecia suggests) or for a temporarily broader set of permitted uses (as I suggested).

<WileyS> So this IS an arbitrary data retention limit :-)

<WileyS> Aleecia - care to comment?

jmayer: The 6 week time frame - we set a minimum retention period that parties can count on besides a "reasonable" retention period.

<jmayer> Noted that we could allow new capabilities on retention and use.

<jmayer> Not saying I agree - just explaining what this does.

npdoty: The party might not need all the collected data for the permitted uses. The six weeks are the time frame to sort out the data reasonable needed for the permitted uses and minimize the rest.

<npdoty> for the auditor, the existence of retained data in the 6-week period would never be an indicator of non-compliance?

<JC> i'll try again

<vincent_> the six weeks can be used to filter out data that you collected as a third party from your logs

<justin> ifette, you'll still need to demonstrate that you're not profiling or transferring to third parties immediately.

<ifette> justin, yes, that is rather problematic

<justin> ifette, But you're OK with that, or at least willing to accept that burden?

<jmayer> Yep. Auditing the backend isn't particularly easy, but this doesn't make it much harder.

<ifette> justin, if it can be written in some way that would still prevent a pain in the butt audit (e.g. if we catch you doing this you're in trouble but the assumption / "burden of proof" is that you're not), then yes

aleecia: What I thought I heard in DC is that the reason for the 6 weeks is - you might not know in real time what data falls under the permitted uses you claimed. Real time is a huge hassle. So we grant them 6 weeks to figure out which data dnt compliance allows them to keep.

<Chris_IAB> why are views "disturbing"? they are just POVs...

<aleecia> because I thought we all agreed rather strongly.

<npdoty> aleecia: point of the 6 weeks is to give companies time to figure out what they're doing with that data; that was what I understood we were discussing

<Chris_IAB> Oh, I didn't get that from the face-to-face

<aleecia> It suggests either I misunderstood, or others did, or ..

<Chris_IAB> and anyway, as more has come to bare on the 6-weeks proposal, peoples minds might have changed. I think that's reasonable and part of an open process :)

<npdoty> JC: I don't think we should use Do Not Track as a way to push out data retention limits on industry. Aleecia: I don't think that's what we're discussing, unless I misunderstood

<aleecia> Many of us seem to have confirmation bias, e.g. we hear what we want to hear and discard the rest :-) My big problem with confirmation bias appears to be that I think there is agreement beyond what there is.

<WileyS> As long as data is not used for anything other than Permitted Uses (with data minimization and transparency) - why do we need an arbitrary timeframe? This 6 weeks doesn't appear to buy anything.

<dsinger> yes, echoing Aleecia: for 6 weeks you can keep stuff you don't understand (and therefore can't and don't use), while you sift it out, and so on; that's my understanding; once you know what you have, you also know whether you're supposed to have it and are allowed to use it, under DNT :-)

<aclearwater> I agree with WileyS that it is difficult to think of a situation when is it useful to have this time frame before the permitted use carve out.

jmayer: I would not support that permitted uses as secuirity and fraud move us to a longer retention period in general.

<npdoty> WileyS, what about data that isn't needed for any permitted use? do you have to delete that data immediately? or should there be a buffer even for data not needed for any permitted use?

<justin> ifette, I don't want the spec to require pain-in-the-butt affirmatively-demonstrating compliance for any of this, but we obviously can't prescribe how DPAs structure any audits they'll require. So that said, not entirely sure how much this buys you.

<dsinger> to npdoty: I think the whole point is you get 6 weeks to answer that question (what do I have to discard?)

aleecia: The discussion about retention periods should be separated from this.

<ifette> justin, indeed. My attempt was to say "in the first six weeks, you get the benefit of the doubt."

<WileyS> Many of the permitted uses require all of the data (log file record). This carve-out appears to provide some arbitrary timeframe for data aggregation (reporting). None of the other Permitted Uses are covered by this arbitrary timeframe.

<npdoty> dsinger, exactly, that's my understanding.

<WileyS> That was for you Nick

jmayer: For both discussion the same privacy considerations apply.

<dsinger> to ifette: I don't think there's any 'benefit of doubt' here; it does not allow you to USE the data any more, just time to work out what data is what

<jmayer> Two retention discussions: maximums for exceptions, (lesser) maximums for protocol information. Similar considerations.

aleecia: WileyS, are you saying that permitted uses have overall no restrictions on collecting data? So that there is no need for stripping some data in this 6 weeks time frame?

<jmayer> Wiley, um, no, removing ID cookies != unlinkable.

<jmayer> We could treat cookie data differently. That's an option.

<justin> If this convo presumes collection of unique IDs, then the 2-6 week period is about tiering of permitted uses. If we presume no unique IDs in DNT, this is a very different conversation. That may explain the sprawling nature of this debate.

WileyS: The main privacy concern is the identifier within the cookie - but this is still needed for many permitted uses.

<aleecia> So we're hearing from Shane that collection would be unchanged for many companies under the permitted uses he envisions, which is an important thing to understand

aleecia: To sum it up - for you there is not necessarily a minimization of data collection under permitted uses.

<WileyS> +1 to Ian - that was my suggestion at the beginning of this discussion

<jmayer> justin, either presumes no IDs or that "reasonable minimization" has teeth

<Zakim> dsinger, you wanted to say that we should still advise 'minimal logging' in the first place (i.e. if you can determine at the time of potential collection that this data is not

<WileyS> jmayer - if I have no unique IDs (I strip cookie IDs, the IP address, MAC address, etc.) would you consider the record to now be "unlinkable"?

<npdoty> ifette: fine with delaying based on the compliance discussion, but should come back to what requirements are on Day 0 in terms of implementation

<justin> jmayer, No argument.

<WileyS> jmayer - in short, where is the unlinkable line for you?

dsinger: We should advise on minimal logging. If you do not know if you need the data, perhaps you should not log it in the first place.

<ifette> ifette: I'm OK with setting this aside for now, it sounds like there's still a fair amount of disagreement on whether this is necessary and/or what exact form that it should take. What I would ask then is that, once we have a more complete view of what DNT means, we look at what compliance would mean "at time zero", whether it would require real-time processing, and how one would defend against an audit/investigation with respect to data at time zero.

<jmayer> WileyS, of course not. That's deidentified data. There's a booming scientific literature about how deidentified data can be reidentified.

<dsinger> you could also write dnt:1 records to a different log/database, for example

<Chris_IAB> You have to log data Aleecia; for many reasons unrelated to DNT; its not trivial to re-engineer the Internet

<jmayer> WileyS, there is no easy, bright-line rule for unlinkability. Even the DAA principles recognize that.

<ifette> aleecia, yes that's also a huge part of this

<npdoty> aleecia: trying to resolve, not have to decide in real-time whether a Permitted Use applies

Initial discussion around new issue-148, What does DNT:0 mean?

<ifette> ISSUE-148?

<trackbot> ISSUE-148 -- What does DNT:0 mean? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/148

<npdoty> ifette, but you think there's something else to this?

aleecia: We are looking into a few other thing. ISSUE 148 - What does DNT 0 mean?

<aleecia> Presumably DNT:0 means something along the lines of "yes, you may track me," but we come back to what exactly that entails. If we say "you may collect any data and use it for any purpose" this will not count as consent in the EU since there is not an associated context. Can we craft something that will work for everyone?

<jmayer> Want to be sure to note that I (and I suspect many others) don't agree with a six week protocol grace period.

<ifette> npdoty, the other part is "how the heck am I supposed to defend against an audit at time zero"

<jmayer> Somewhere on the order of 1-2 weeks would be ok.

<Chris_IAB> Aleecia, when you say "it's easy to write some code..." I don't believe you appreciate what's really involved with at scale systems.

<WileyS> jmayer - all examples to date (AOL, NetFlix, etc.) have relied on data coupled with a log record to allow for reidentification - in most of those cases that data was declared data (freely given by the user) and is outside of the scope of DNT which focuses on observed data (primarily log records).

<npdoty> ifette, if that's the only additional part, great, I understand

<jmayer> ifette, if the concern is auditing, let's talk about auditing - not general-purpose retention.

<dsinger> particularly, what is the difference (if any) between no DNT header, and DNT:0 ??

<justin> +1 to jmayer --- which is why I was wondering why he kept saying "6 weeks" over and over again :)

aleecia: we keep coming back to this because a consent for Europe needs to be explicit.

<jmayer> The new UK regulation carefully scoped implied consent to first-party cookies - not third-party cookies.

<WileyS> And then the Netherlands came out with guidance on the opposite end of the spectrum - gotta love the EU :-)

ifette: I am concerned about being too explicit. The situation in Europe is not completely clear. For me a simple DNT:0 just means being okay with being outside of the DNT standard.

<WileyS> jmayer - not true, implied consent could apply to 3rd cookies as well

jmayer: DNT:0 should mean that the user is okay with whatever you present in written form to the user.

<WileyS> Disagree, DNT:0 should mean DNT is fully lifted - trying to create a multi-layered onion on what DNT:0 will be difficult to manage

<aleecia> Ian is right to correct me from "EU" to "some EU countries." It would be useful to get discussion around both the Netherlands and the UK. If anyone has suggestions of someone close to the UK regulations willing to speak with the group and take questions, please let me know.

<Zakim> fielding, you wanted to be clear, if DNT:0 has no defined meaning and set of purposes for which data collections is specifically allowed, then user-granted exceptions have no

<npdoty> dsinger: want to be clear that I don't think DNT:0 should imply anything beyond not sending DNT at all

dsinger: I would be uncomfortable with DNT:0 implying any more consent than conveying that he/she does not send DNT:1.

<jmayer> WileyS, the UK ICO guidelines give advertising cookies as an obvious example of cookies that require explicit consent.

<dsinger> ...except that I am telling you that others are getting dnt:1, and I give you the opportunity to reflect back to me that you saw dnt:0 from me

<WileyS> +1 with david singer and roy fielding

<JC> +1

<npdoty> WileyS, I think David and Roy disagree :)

<jmayer> Value of exception API: persistence, standardized user experience.

<WileyS> Nick, roy did go in a new direction there at the end so I agree. I thought he started that DNT:0 should mean the absense of DNT:1

<ninjamarnau_> a tool to convey consent would be the major benefit of DNT in Europe. Especially the Opt back in should convey an explicit consent.

<dsinger> dnt:0 on all requests says "I am aware of DNT and have chosen not to turn it on", whereas absence is more vague

<WileyS> dsinger, I thought we agreed that DNT:0 meant "you have an exception from this user" and no DNT signal meant the user has not made a choice yet (whether their browser supports the feature or not)

<WileyS> I'm with Ninja on this one - DNT:0 should mean you've been granted an exception

<WileyS> Ninja - did I get that right?

<dsinger> wileys, yes; I was trying to interpret dnt:0 on all requests (whereupon no-one is 'excepted')...

<npdoty> I wasn't suggesting that DNT compliance requires legal compliance, just that we could include another reminder that DNT doesn't affect legal compliance (since that seemed to be the essence of Jonathan's request)

<dsinger> where would the definition go? (which document/section)?

<ifette> I'll volunteer to write one viewpoint, though I doubt everyone will agree with my view :)

<npdoty> ... to avoid any confusion that DNT:0 would override your legal requirements on consent

<ninjamarnau_> WileyS, I am not entirely sure if DNT:0 and site specific exceptions are conveyed in the same way.

<fielding> The only reason to request an exception is because an exception is desired -- which law applies doesn't matter. All regions have the notion of prior consent.

<JC> Though they are different, how would the site behave differently?

<jmayer> I'll take the other viewpoint.

<WileyS> Ninja, I believe the TPE uses DNT:0 as the mechanism to convey a user-granted exception

<WileyS> At least in the most current draft

<npdoty> ACTION: fette to draft a definition of DNT:0 expression -- issue-148 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action02]

<trackbot> Created ACTION-208 - Draft a definition of DNT:0 expression -- issue-148 [on Ian Fette - due 2012-06-06].

aleecia: ifette and jmayer volunteer to write their viewpoints. Thank you both.

<npdoty> ACTION: mayer to draft a definition of DNT:0 expression -- issue-148 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action03]

<trackbot> Created ACTION-209 - Draft a definition of DNT:0 expression -- issue-148 [on Jonathan Mayer - due 2012-06-06].

Compliance section for user agents

<trackbot> ISSUE-149 -- Compliance section for user agents -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/149

aleecia: Next Issue - compliance for user agents.

<fielding> UK cookie info: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

aleecia: What motivates this is we talked about intermediaries. The user agent should convey the user's voice.
... is it okay to have a default of DNT:1 or DNT:0. Example of AVG

<Chris_IAB> yes, this goes to open issue 143

<ifette> (yes it's worth discussing)

<npdoty> ... reasonable people in the group disagree about whether AVG fits our understanding

<dsinger> I think it important that the user's choice be expressible through their choice of user-agent, configuration of user-agent, or other software (e.g. a privacy-enhancing proxy)

<aleecia> issue-143 is against the TPE document, not compliance. Different issue.

<WileyS> I've submitted an issue for User Agents to record that they were the party to set the DNT:1 signal and this be conveyed in the header. This provides transparency for the sender.

<dsinger> I thought there was

<hwest> I thought there was pretty broad consensus there as well

<ifette> i thought there was consensus that a UA could not set DNT:1 by default w/o asking the user

<JC> Straw poll

aleecia: I thought there was consensus that a user agent should not have a default. jmayer disagrees.

<jmayer> There is undoubtedly consensus among industry stakeholders :)

<WileyS> Wny can't we do "+1" via IRC?

<Chris_IAB> In doing what they've done, AVG makes it very dificult for publishers to "honor" any DNT request, without knowing the source and how DNT was set

aleecia: probably better to discuss this f2f.

<dsinger> If I sell a UA "PrivacyPlus" that minimizes fingerprinting, turns on DNT, doesn't log what you do or maintain history, and so on, it's a valid use choice to use that UA.

<ifette> dsinger, surely "privacy plus" could ask on first run

<aleecia> ifette, same as how Chrome would ask on first run...

<ifette> aleecia, chrome isn't targeting a niche group of users with a tonf of features that tend to break the web

<fielding> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining

npdoty: there may be some gray area - what about a privacy browser like dsinger described.

<Chris_IAB> are we doing this in person, or now?

<aleecia> but it's the same deal: getting in the way of install is unattractive for anyone

jmayer: We should take into account that local law might require a default. So we should not prohibit it.

aleecia: This is an issue we need to come back to. I create a new issue and an agenda item.

<npdoty> does issue-149 capture this question already?

<jmayer> Noted three issues we need to decide: 1) where on the spectrum of user interaction/user understanding is the cutoff? 2) how do we handle first run and upgrade prompts? 3) how do we account for law that requires a default?

<Chris_IAB> I would like to see it on an agenda before the face-to-face though, with enough time to adequately hear from all

aleecia: another issue, unsure to take this up: What about the browser DNT setting contradicting the setting of addons?

<npdoty> can we just decide this question is out of scope?

<dsinger> +1 to npdoty!

<aleecia> we could, but it seems a bit insane as is

<npdoty> (we don't normally standardize how conflicting user agent software works)

<hwest> I think it's worth looking at

<Chris_IAB> I think we take it on

ifette: I think it is fair to say that server side cannot distinguish what is the will of the user. So there should be no responsibilities.

<jmayer> Another issue we have to decide: can a server ignore "DNT: 1" if it has reason to believe it wasn't explicitly set?

<jmayer> I think the answer there should be plainly no.

<WileyS> jmayer, that's why I'm asking that the setter be named and I believe the answer can be "yes" in some cases.

<jmayer> It's in nobody's interest to have second-guessing of DNT.

<npdoty> ifette: for better or worse the server won't be able to tell whether or how conflicts on the client affect setting of the DNT header

<WileyS> jmayer, disagree but understand your position

aleecia: We have DNT 1, 0 or unset. Do we want to take on how UA should present this choice to the user?

<Chris_IAB> good question jmayer; I think the answer should be yes, if it wasn't set per our requirements for compliance, which should include a UI component

<vincent_> WileyS, could'nt the party then just request site exception?

<dsinger> I think the current text ('must reflect the user's choice') is fine, and trying to be more precise is a tar-pit

<Chris_IAB> Aleecia, how/why do you call UI "out of scope"?

<npdoty> +1 to dsinger, I think

<Chris_IAB> I don't understand this

<Chris_IAB> which charter exactly?

<JC> +1 UI out of scope

<WileyS> vincent, requesting exceptions may come with consumer trade-offs: paywalls, restricted access, more ads, etc. I'd rather not present the exception request unless a valid DNT:1 is received.

<npdoty> Chris_IAB, charter is here: http://www.w3.org/2011/tracking-protection/charter we can work on guidelines for UI but we don't specify presentation to the user

<jmayer> Chris_IAB, UI is the third rail of W3C discussions.

<aleecia> Chris, the charter is linked from the main page for the TPWG; worth a read

<jmayer> Not dissimilar to Social Security in DC...

ifette: This depends on the meaning of DNT:0. If it has a total different meaning to unset I would appreciate guidance.

<Chris_IAB> ok, so let's not call it "UI" then; let's call it "requirements for the influencing of setting DNT"

<Chris_IAB> is that in charter?

<JC> Chris_IAB, that is what we are discussing

<vincent_> WileyS, imho if the user did not set DNT:1 and get restricted access and/or exception request, he'll certainly disable the add-on that sets DNT

<npdoty> thx, I have a better understanding, I think

<dsinger> I think dnt:0 should be an artefact of the protocol, not a third user choice

<efelten> Chris, the group's charter is here: http://www.w3.org/2011/tracking-protection/charter

<jmayer> Chris_IAB, we can discuss defaults and standards of consent; we can't set UI specifics (e.g. text, format, etc.).

aleecia: We best come back to this when we figured what DNT:0 means.

<ifette> ISSUE-143?

<trackbot> ISSUE-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/143

<WileyS> vincent, the user may not be aware which product they installed that did this - hence the request that setters be named

<Chris_IAB> got the Charter, thanks efelten; wondering if there is any way to re-open the charter if the working group feels it is no longer correct?

aleecia: suggestion is we leave ISSUE 143 as it is right now. Postponed discussion.

<Chris_IAB> does the W3C have a mechanism for altering the charter of a Working Group?

<npdoty> Chris_IAB, I'm happy to follow up on W3C process re-chartering

<dsinger> to Chris_IAB, yes, it's called re-chartering, and is major step

<Chris_IAB> great, a lot of us joined after the charter was set

<npdoty> aleecia: a reminder, if you have some proposal you want on the agenda, need to know this week

Summary of Action Items

[NEW] ACTION: fette to draft a definition of DNT:0 expression -- issue-148 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action02]
[NEW] ACTION: mayer to draft a definition of DNT:0 expression -- issue-148 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action03]
[NEW] ACTION: Wiley to follow-up with Peter or otherwise post current draft to the list for Unlinkability due 6/4 [recorded in http://www.w3.org/2012/05/30-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/06/14 05:37:54 $