See also: IRC log
<npdoty> Internet connection info is on the whitescreen, although if you're reading this....
<npdoty> <sings Happy Birthday>
<npdoty> scribenick: npdoty
schunter: welcome back, thanks for coming back
... happy with the progress so far
... identified two major proposals and a lot of areas of agreement
... and a very lively discussion on the mailing list
... in working order and we are working cooperatively on finding solutions to our challenges
... appreciate the time you put into this group and the constructive feedback
<applause>
schunter: still have some work to do
... don't need to debate the wordsmithing, but figure out what pieces we can or can't live with
... not to aim for perfect solution, but what are the key points that I cannot live with and focusing on getting agreement with these points
... feel free to make little groups over coffee to work out issues, which can be even more efficient
... agenda review and looking for scribes
... 1. Welcome and Goals
... finding solutions
tl: introduce yourselves and note the observers
schunter: +1, go through introductions around the room after this session
<Chris_IAB> I would scribe, but I am only an "observer"
<asoltani> jjj
<tl> Chris_IAB: That's the best place to scribe from!
scribe volunteers: dwainberg, justin, rigo, Ian, AmyC, jason
<Chris_IAB> yeah, I'm not in accord with that...
<Chris_IAB> if I'm only an observer, I'd like to observe :)
<dwainberg> is there a cheat sheet on the web with the scribing syntax
<dwainberg> ?
<tl> Chris_IAB, Scribing is a great opportunity to follow the conversation very closely!
<scribe> scribenick: dwainberg
Participants:
Jon Mayer ...
scribe: Justin Brookman,
... Vinay G
Brooks Dobbs....
(sorry, I'm missing some)
<robsherman> ...Rob Sherman
Mike Zaneis
Thomas R
Keerat
<Chris_IAB> sorry, who is "tl"?
<Chris_IAB> you have a non-transparent IRC name
<sidstamm> Chris_IAB, tl is tom lowenthal
<npdoty> <applause for our hosts>
<npdoty> I'll share the full attendee list since we won't get everyone's details in this go-round
aleecia: thanking companies that provided support
<npdoty> huge thanks to Microsoft for hosting, and to Yahoo, Facebook and Google for financial support
aleecia: [reviewing the agenda]
... Mission of the TPWG is to improve user privacy .... (from the charter)
... we need something that works for users and that can be adopted by biz
... [reviewing dates]
... dates are aspirational
... we were looking for a last call doc in June, we'll see if it happens, even if we don't, we need to publish something out of this meeting
... WG issue freeze
... aleecia filled in dates assuming last call, and padded it out
... Getting to closed
... we start with an open issue, use texts to have discussions, and get to consensus text, then closed issue
... issues can be reopened based on new information
... w/out new info or new text the issue will remain closed
... we can have formal objectsion
... if we have multiple texts, consensus is on the least objectionable proposal
... chairs will identify consensus for the least objectionable path
... it is about substance, not about volume, "me too's", etc.
... WileyS: there is not agreement on this process, can we set that aside as a separate issue
rigo: this _is_ w3c process...it's about sustained opposition
<npdoty> If you're curious about w3c process: http://www.w3.org/2005/10/Process-20051014/
tlr: [reading from the process doc] "where unanimity is not possible, ... in establishing consensus, the WG must address legit concerns of members.... it is desirable that a large majority accept...
<npdoty> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus
tlr: ignore the above (old process doc vesion)
<npdoty> <ignore earlier tlr, reading out of date version>
tlr: current version: "in some cases a group may be unable to reach consensus.... dissenters cannot stop the groups work....if chair believes group has considered dissenters views they can move on
... consensus ... [reading from the process doc]
... it is a general practice to look for the least objectionable
ian: can we highlight the process for moving a document to last call?
tlr: upon consensus of the WG
aleecia: typically we do not have a vote, but last call could be a time for a vote
<BerinSzoka> Here's the W3C process document that was just read from: http://www.w3.org/2005/10/Process-20051014/policies
<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus
<BerinSzoka> note the section on Consensus in particular http://www.w3.org/2005/10/Process-20051014/policies#Consensus
<tlr> an additional piece that I didn't read to you: Groups should favor proposals that create the weakest objections. This is preferred over proposals that are supported by a large majority but that cause strong objections from a few people. As part of making a decision where there is dissent, the Chair is expected to be aware of which participants work for the same (or related) Member organizations and weigh their input accordingly.
<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#managing-dissent
aleecia: formal objections happen at decision points. FO authors must cite technical basis.
... group can resolve right there, or there is a w3 process, which can go up to Berners-Lee
... if one thing is reversed, there can be an entire dependency chain
... not unusual to have multiple formal objections
... questions?
... (none)
... What's new?
... issues about IP
<npdoty> Rigo Wenning, W3C's Legal Counsel
rigo: is w3c's legal counsel. There were messages on the list about alleged IP issues.
... discussion of the issue on the mailing list has stopped
... w3c can create patent advisory group
... w/ committment to royalty free, the issue is resolved, but if can't resolve quickly, will create advisory group
<npdoty> if we can resolve just by getting a W3C royalty-free licensing commitment, then we don't need to go forward
rigo: formal procedure, with fixed membership, members only, no experts, no observers
... w/ discretion of chair invited experts can be invited to the group
... private meetings, but the result will be public, with suggestions to the wG
<npdoty> deliberation in Member-space only, with a report to the public
rigo: w3c patent policy says clearly that a standard cannot be covered by IP
... there will not be a spec that is encumbered with IP
... important not to give in to panic; we will resolve this.
<npdoty> for questions, grab Rigo in a coffee break
aleecia: on the mailing list; currently it is world readable/writable
... and we're seeing problems
... the chairs will bar contributors who are contributing IP w/out an agreement, or who are disrupting the group
... problem of people contributing IP over which they have a patent
... we need to be careful to keep those things out
... questions?
justin: how does it work; anyone can join, are they required to give up their IP before they can join?
rigo: w3c has a complex framework. Members follow w3 policy. Invited experts sign a form on an individual basis. Observers haven't signed anything, so we have to be careful.
... this is the chair's task to be careful about this.
<npdoty> patent policy details: http://www.w3.org/Consortium/Patent-Policy-20040205/
aleecia: this will be posted w/in the next week.
tlr: one clarification; we have an obligation to respond to comments from the public after last call.
... WRT current members, we're having issues. People are complaining about tone.
<npdoty> people not reading the list because it makes them ill to read it
tlr: Social competence is a key component for WG membership.
... We're getting to the point of having problems.
... Please self-moderate.
... Last piece; we also need a way to take public comments.
... Will set up a public comment list, and we will need to respond to those public comments.
WileyS: Is there a private list as well? What is it?
... Does that exist? Can someone explain its composition.
tl: we do have a private list. By charter it is only allowed for organization, logistics, etc. But no substantive WG content.
<adrianba> Member list archive -> https://lists.w3.org/Archives/Member/member-tracking/
tlr: archive for the private list shows 7 messages from Nov 2011
aleecia: we have new people involved.
<npdoty> (and I don't believe that the Member mailing list archive is currently visible to our Invited Experts)
aleecia: we're seeing exec level decision making descend on the group
... we're suddenly working at executive speed, and it's bogging down the process
... Also external pressures. Press.
... Increased Congressional interest in the US.
... UK "implied consent" for cookies
... NL prior consent
... Art 29 calling out DNT as inadequate
... may have to send out last call for comments twice
<npdoty> "we're doing something unusual and special"
aleecia: thanks to all for doing this work. It is important. It is important to a lot of people. The stakes are high.
... [talking about dinner plans]
<tlr> "new information"
marc: Process question. A decision about one section could hinge on another section that we've not discussed. How do we loop back?
... Troubled or concerned about how that plays out in a rational way.
aleecia: Mostly applies to the compliance doc. For things that have dependencies, we have put those issues together. It is much easier to do it issue by issue.
... for things that are interlocked, we'll just have to do them together.
... if you have specific things in mind, call them out.
... Does that answer your question?
marc: I think so.
npdoty: This may also be "new information"
aleecia: I've tended to be much more willing to go back to issues. This starts to change as we get closer to closed.
... Next we have editors. David is not here, so Roy will do a quick summary on TPE.
<npdoty> editors' draft of TPE: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
<npdoty> and compliance: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
Heather and Justin presenting on Compliance Doc
hwest: not many changes made since Washington DC
justin: lots of options in the doc
hwest: options, notes, issues are color coded in the doc
... things not called out are close to consensus
justin: major issues.
... 1. definition of parties and consumer expectations
<Chris_IAB> Nick Doty, please note that Shane Wiley of Yahoo! just sent a formal request to add the IAB as "invited experts" to this TP Working Group; Could you please reply today? Thanks :)
justin: advocates have largely conceded on this
hwest: next piece is permitted uses; what can that party do for operational purposes. We've been treating those together.
justin: parties and unique identifier are biggest issues
... advocates argue there should be no unique identifier; industry argues there should be a number of permitted uses allowed using unique ID's
hwest: the draft at this time does not reflect recent discussions.
justin: not much concern anymore about 1st vs 3rd definitions
... some discussion of need for definition of "tracking" and "collection"
... Section 5 on user granted exceptions. There's some discussion on what is needed for consent.
<npdoty> I'm happy to help with editing if we want to do things in real time or each evening /cc: hwest, justin
hwest: that sums up the big issues
justin: take-away -- don't look at the compliance doc right now (laughter)
(roy presenting on TPE)
<npdoty> I haven't added that functionality (toggling non-normative text) to the live editor's draft yet, but it's ready to go
roy: Defines what goes over the wire.
<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
roy: Status is; we have made changes since the draft in DC. Major areas of change are the tracking response proposal. We've merged Roy's and Tom's proposals into one version, but not sure if they're happy with it.
schunter: The point of this section of the specification is to specify how a server replies to a UA. I perceive agreement on parts, but we'll discuss later.
roy: (displaying diffs on the overhead)
<npdoty> fielding: I think we addressed those Community Group comments, though I'm not quite sure
roy: change; site-specific >> user-granted exceptions
schunter: (describing options for user-granted exceptions)
<npdoty> fielding, johnsimpson, jchester2 -- we should confirm whether we've addressed the CG comments, and if we need to document that, we can do so
<johnsimpson> @nick They were addressed orally in DC. I think those slides were supposed to be sent to us. I don't think they were.
<npdoty> haven't formally reviewed http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining
fielding: (continuing to describe diffs)
<npdoty> (fielding's changes on defaults and requirements for setting a preference)
fielding: added issues 111. There are some new issues since the last working draft. We'll cover later.
... other major change is the response section, where it was two proposals, resource and header field, now it uses both, depending on context.
schunter: context. If you want to tell a party it's ok to track. There's user-granted in the spec, and out-of-band, where site continues to get DNT:1, but site can respond it's not honoring because it has out-of-band consent.
<npdoty> section to review (per fielding): http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#responding
fielding: Tk header field is the combination of proposals. Confirm that what you want in there is in there.
schunter: Roy did a great job merging proposals. But the combination is not 100% perfect. What should go into the UI? What should go into the headers?
<aleecia> Checkin notes dlist is here: public-tracking-commit@w3.org
<aleecia> I'll send that to the dlist
schunter: Roy listed attributes you might want to communicate; we have to decide which are needed. But we hope not to need all.
fielding: last topic; user-granted exceptions. dsinger has been working on it.
<dsinger> added the exact model of what happens
<dsinger> added the cancel calls
npdoty: Major changes are adding a method for web-wide exceptions, starting w/ Shane's text, and API for removing exceptions.
<dsinger> added the web-wide exception
npdoty: We want feedback from other browser makers.
<dsinger> added notes and issues
aleecia: What happens if we're not able to come to agreement?
aleecia: What does 6 months, 12 months... look like if we do not have DNT?
jchester2: I'm sure we all feel a responsibility for global users of the internet. ... Without a standard, we will see an escalation of the demands of privacy groups across the world for regulation and greater protections.
kimon: (responding) EU regs are about storage on the client, but DNT is not really about storage.
... but haven't been able to get much out of politicians as far as what they actually want to get out of it.
<npdoty> kimon: EU already has a strong legal framework
kimon: would like to make it interoperational with existing OBA framework.
rigo: Had talks with a company in Japan. They are watching the outcome of US and EU.
WileyS: If this group is unsuccessful, a DNT standard will still emerge. It does not need to be one from a w3c standard.
BerinSzoka: Has been involved in the space for over 4 years. Lots of trade offs. Worry about this process breaking, and leading to a regulatory solution that's less able to deal with tradeoffs.
<npdoty> WileyS, you were also making a point that it might not be universal, but it would still be satisfactory?
BerinSzoka: Examples: A DAA standard outside of this process would be politically difficult. Congressional hearing, it was made clear they wouldn't support a DNT standard that does not comply with headers.
<npdoty> BerinSzoka: re: James Grimmelman testimony
BerinSzoka: Also, FTC could be tasked with writing the standard.
<npdoty> BerinSzoka: a standard from outside this process (from DAA) would likely be unsatisfactory to that audience
BerinSzoka: Markey and Barton have been co-chairs of privacy caucus. Their letter made clear they reject a standard that does not allow DNT to be set by default. They also reject a number of other fundamental assumptions of this group.
... Very likely that if this group does not produce a workable standard, we'll see something crafted by regulators, who have little understanding of the issu.
... in fact this will be resolved by people on the hill.
<npdoty> scribenick: justin
ifette: Google hopes this doesn't fail. But we started with a self-regulatory regime (DAA) that has been implemented by most third-parties, so there's a willingness to do something here.
... Some we came into this process because we realized that DAA process was sub-optimal (have to go to website, cookie-based so not persistent).
<npdoty> a vast majority of the third parties that I believe we're trying to target covered by DAA program -- is that right? I thought we had agreed that these issues applied well beyond behavioral advertising
ifette: But over time it's become clear that group believes that DAA not enough. And WileyS's proposal does make real concessions.
<npdoty> ifette: there are meaningful concessions, this is beyond the DAA program, not just putting DAA opt-out into the browser
ifette: Obviously, some are pushing for a prior consent before tracking, especially in Europe. I am worried about the *pandering* being done around this issue. I don't believe that the world will move to opt-in model if this group fails.
... Europe's opt-in model hasn't worked. And to be fair, the DAA model hasn't worked either.
<rigo> +1 to Ian
aleecia: queue is closed --- be focused!
hober: If this working group fails, we'll need to look to other solutions to protect users' privacy
aleecia: what does that mean?
hober: It will depend. <cryptic!>
aleecia: Give me some options
erikn: I'll take a shot at that
... We're not trying to be dodgy --- we want this to work.
... But we are in agreement internally that we need to do something to protect user privacy.
aleecia: from a browser perspective?
erikn: yes, that captures it. But we really want DNT to succeed and to be the answer.
rvaneijk: Without DNT, there will be enforcement actions in Europe. A lot of people have put hopes on meaningful do not track.
... We need to make process the next three days. There are two ends of the spectrum: do-not-collect vs do-not-target. We need to find the middle.
... The statements of the Congressmen and the Chairman on the FTC (?) all push more for the do not collect approach.
fielding: My hope is that DNT does (?) work out. But don't push for DNT on by default.
... As a protocol editor, I don't want to go through the process of grappling with a DNT by default universe (?)
<efelten> FTC and the Chairman have said that DNT should be Do Not Collect, with narrow exceptions.
<sidstamm> +1 to advocating for "don't track users without consent" but not enabling DNT:1 by default
<tlr> Roy: If you want DNT to be on by default, ask for that to be the default with *no* signal. Don't mess up the protocol.
fielding: DNT should express user preference which can't happen by default. There will be regulation on this if this doesn't work, but it will be focused on the default issue (?)
<npdoty> fielding: for advocates, please don't go out there and ask people to turn on DNT by default, instead ask for regulation that DNT be the regulatory default because it won't need changes to the protocol, or any changes to HTTP protocol, the IETF process
spiezle: We need to focus on the consumer perspective. Lacking trust is hurting our business models.
<npdoty> fielding: I expect that regulation would be about tracking of HTTP requests in general, not tied to the default/DNT setting only
<tl> +1 to appropriate privacy protections should be the default, but DNT should always be the user's voice.
<rigo> +1 to that
spiezle: We're going to see legal approaches to protect users if this doesn't work out.
aleecia: Elaborate.
<BerinSzoka> I've never seen any substantiation of this this consumer trust meltdown scenario that's so often bandied about as a supposedly compelling need for regulation
spiezle: You'll see increased allegations of contract suits, class action suits for privacy violations. Even if they don't work out, bad PR issues.
<npdoty> "even if meritless, will consume a lot of cycles"
jmayer: Want to echo the Apple answer: best answer is getting a standard.
... But if this doesn't work out, the research community will be move active. They will engage much more with regulators (who right now lack expertise). Increasingly, regulaotrs have built better relationships with advocacy and research community.
... Regulators will consult with research community on potential regs. Also, research will push more for ad block solutions if this fails.
... And I don't want that outcome. It would be awful.
WileyS: That happens today even in parallel to DNT.
jmayer: It will be worse if DNT fails.
<BerinSzoka> Bully for Shane for pointing out the obvious: Jonathan's threat to build the ultimate ad blocker, etc will happen regardless
<vincent> WileyS, AdBlock will stop to block ads complying with dnt
tl: Hope DNT works, but pro-privacy users will find a solution. DNT should not be a default, but we can make other privacy choices as a browser that don't need to be off by default.
<npdoty> can we get some commitments or evidence on this point: that advocates won't need to build or advocate for countermeasures if we come up with DNT?
aleecia: I'm going to put some on the spot --- what happens to your org if DNT fails. Picking on Adobe first.
meme: From an engineering perspective, maybe fielding can say better. But I agre with WileyS, companies will compete on privacy. Don't think that's necessarily the best approach, because you lose the value of standardization.
<tl> npdoty, If we have a strong DNT standard, we don't need to.
<jmayer> The research and advocacy communities haven't begun work on technical countermeasures in earnest. I expect the pace of development would accelerate exponentially if DNT fails. Again, that would be a very bad outcome for all stakeholders.
meme: DNT is good because users can reasonably expect the same thing. Adobe is looking at competing on privacy, tho, but it takes time. And we will listen to consumers to see what they are asking for.
aleecia: who else can comment with a strong int'l presence?
hwest: Globally, we think a strong DNT standard that's not fragmented is incredibly value. If we don't have a standard, we'll keep working on privacy (as everyone else will say), but we'd like the reliability of one std where everyone knows what to expect (users and companies)
aleecia: I am expecting someone to say (which I'm not hearing) is that without a standard, companies need to go country to country.
<tl> Sounds like all of the browsers are saying the same thing: DNT is the best outcome, but if DNT isn't a viable option, plan B is technical privacy protections, and we'd rather not have to do that.
fielding: you made an assumption that having a DNT standard will release that pressure. I haven't seen DNT as a fix to cookie law --- when I talk with DPAs in Europe, it's all about YOU NEED TO OBEY THE LAW REGARDLESS OF WHAT THE STD SAYS
... which is reasonable. But if DNT doesn't reach those laws, we need to deal with them anyway.
<dsinger> the other nightmare is that if we do this at the W3C, we can publish, listen, learn, discuss, revise, and be global; regulation is not like that, it tends to be publish and walk away.
ifette: But the question is do we need to try to accord DNT to accomodate every law around the world? I don't think that's a good idea, and would be impossible. I want something that protects privacy (reasonably) and is deployable.
... We'll need to country by country anyway. I take that as a given so we don't need to bog the spec down with every possible legal requirement around the world.
<npdoty> ifette: if there are things we can address cheaply, great; if there are things that are common, great
WileyS: Another outcome the press has brought up. The escalating war between publishers and browsers. We'll get to a world of apps. You access content pre-packaged in browsers. Each of those "browsers" control their own interaction with their users.
... I hope we don't get to that.
<npdoty> +1 to WileyS, I think this is an important point on the dangers of back-and-forth escalation
rigo: Quick report from last week's OBA roundtable in Brussels. I positioned DNT as a tool to help you with regulatory compliance. There aren't 27 Robs around the table or 50 Ed Feltens (for the 50 states). A DNT tool can make compliance a lot easier, and the regulators want that too, and is a good outcome.
<BerinSzoka> Shane is exactly right: turning on DNT by default could fundamentally change digital media landscape. everyone hear should read and think carefully about "Opt-In Dystopias" by Betsy masiello & Nick Lundblad http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp
rigo: We should adapt the protocol to address some regulatory concenrs.
kimon: Regulators in Brussels stated very clearly that DNT can't fix law, but you should come up with a good technical standard, and we'll take it from there.
<BerinSzoka> but to add to Shane's point, that world may not only be bad in economic terms for the diversity of richness of media, but also for (a) competition and (b) privacy
kimon: Not very helpful to focus on the legal side. This should really be about users --- what will they expect and use. If we offer a simple solution, users will take it and it will work. We need to address user concerns.
... signal from Brussels really is DON'T TRY TO CREATE A LEGAL INSTRUMENT.
BerinSzoka: Briefly, we're talking about a fundamental change in the ecosystem. You should reach Opt-in Dystopias to consider the bad results from this world. This will be bad from competition and also for privacy.
<hwest> If folks haven't seen the Opt-In Dystopias paper Berin is referencing, it's here: http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp
BerinSzoka: In this world, users will have to be opting in to a LOT MORE collection of information. Is that really what privacy advocates want? (Also, less information will be available to users).
Marc: Without DNT, much of what we have that works will still be there. There was an AdAge article this weekend that says: "When 3P data goes away, power shifts to those with 1P data." I love my big members with 1P data, but real concerns on pure 3Ps who are at the table and do great things for the ecosystem.
<jmayer> I'd like to hear from OPA and publishers, if they're in the room.
jchester2: The ecosystem has already been changed by real time bidding. We have a huge data collection ecosystem that needs to be addressed. And DNT will help address that. And advocates have made huge concesssions. We need to get privacy off the table for users.
<npdoty> +1 to Marc on the concern for shifting power by company size or by 1st/3rd, we should be cognizant of this
aleecia: So let's stop repeating points. We've talked about walled gardens and paywalls. We've talked about lawsuits and trust issues. We've talked about arms races with cookie blocking. And we've talked about the problems for a lack of standardizatiton.
... We've also talked about increased tracking in an opt-in world. And potential for increased regulation (possibly written by folks without good understanding of technology), And increased regulatory attention in Europe.
... DNT can be a useful tool for compliance in Europe. And we've heard there will be more enforcement in Europe. Some browsers have said they'll do more if no DNT. And other outlets for DNT, possibly through DAA, FTC, or IETF.
ifette: Point of clarification. On your (just made) PPT, you say that DAA will be cookie-based only --- I think that DAA wants to go for a different mechanism if this fails.
FrankWagner: If we have no DNT now, we'll have increased complexity for users.
aleecia: What would opt-in look like for your sites?
<dsinger> I do think that the W3C publish-implement-learn-discuss-revise model is hugely better than slow-moving regulatory model (and, I hope better informed in the first place)
ifette: I asked on the mailing list for good examples of opt-in. I was told about the ICO and the FT. The ICO has no third parties, and the FT has "if you don't like cookies, close this window" and 50 are installed regardless.
aleecia: How do you deal with Euro std if cookies are set before choice? No one has really done this wekk yet.
... Maybe DNT can offer some ease there, if regulators might be OK with that.
Wheeler33: Two points. Publishers make a lot of revenue from third parties. The impact will be felt by 3Ps and the publishers.
... (2) Impact on users. Not clear that users really understand difference between 1P and 3P cookies. Or understand how DNT differentiates.
... There's a belief by users that DNT will make behavioral advertising will go away, and that's wrong. It will still be done, just through 1Ps.
aleecia: You're making a different point. How will it be different if no DNT.
Wheeler33: Without DNT, the money will flow better.
aleecia: That's not clear for all the reasons we've just heard.
Wheeler33: That's my answer
... AND, not clear that if this really does work, users will be confused because they don't get 1P v 3P.
<BerinSzoka> To Aleecia: I think there are actually three scenarios we need to be talking about here: (i) DNT premised on the default-off consensus of this group, (ii) DNT that is coerced to be default-on (what Wheeler is speaking to, and (iii) DNT fails--which likely leads to #2 by legislative or regulatory means
<Chris_IAB> Why is the speaker not allowed to make his position without interruption by the Chair?
aleecia: To be clear, we're talking about : "In a world . . . without Do Not Track"
jmayer: BT.com has an interesting approach to cookie law. They drop cookies, but then delete immediately if you don't grant consent. Some regulators might be OK with that.
... Want to address the economic issues. You're right that 1P and 3P is blurred. The economic impact --- not clear who will suffer. But we can be clear that 1Ps will *really* suffer with AdBlock because with technical solutions, all ads are blocked regardless of party status.
<sidstamm> Chris_IAB, he was making a point relevant to what happens if DNT *does* exist, which is not the scenario we're discussing. The speaker was allowed to make his point relevant to the scenario after the intteruption
BerinSzoka: I like Wheeler33's comments. Options are (1) DNT on when default is off, (2) this group breaks down, or (3) DNT on by default. I'm concerned about this last scenario when DNT-on is coerced by Hill or FTC which is different than contemplated by this group. This group needs to stay on track to keep DNT off by default.
<Chris_IAB> sidstamm, it doesn't matter what his point was, it's that he get's to state it without interruption...
aleecia: To be clear, the group isn't saying DNT off by default, it's DNT is *not set* by default.
... (tiredly) anyone else on this?
<BerinSzoka> I take Aleecia's point, but I don't see how it changes what I said
<jmayer> A few asked for a pointer to my paper on third-party tracking (including some economic analysis). See https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf.
<Chris_IAB> let's not get into a semantics war here
rigo: We are all working on the assumption that no one ever changes their browser. But IAB Europe put out a very interesting poll saying that 56% of Euro users delete all their cookies once a month.
<npdoty> BerinSzoka, I think Aleecia was just clarifying; it might help us in the press to clarify that the default question is not a default to tracking, but a default to no preference
<justin_> But that could just be anti-virus, yes?
aleecia: not really on point.
<Chris_IAB> I think the gentleman was quite clear actually
<asoltani> +1
<Wheeler33> The w3c solution MUST reflect user preference - without DNT user preference remains with the users
<sidstamm> +1 to "more pressure for better cookie management tools if no DNT" from WileyS
WileyS: Another option could be better cookie management tools from the browsers. Especially in Europe to deal with cookie directive.
JC: Disagree with WileyS. Cookies don't work. Need to look at non-cookie options.
WileyS: We're talking past each other. Rigo's point is more that you may not need DNT since people delete cookies.
<Wheeler33> agree - OBA cookie targeting effectiveness drops off a cliff after 30 days
Brooks: To rigo's point, the presumption isn't that tools aren't being used, because without DNT people are finding way to express choice today.
asoltanti: One more observation: one of the benefits of DNT is innovations of tracking will be more accepted.
<Wheeler33> if there were standards for cookie deletion after a certain time period - would we need DNT?
<rigo> WileyS, that's actually not what I meant. I meant that people make a choice if we give them a tool to do that
asoltanti: Because there will be cross-technology express of preference, new technologies in innovation might be more accepted where DNT off on exception is granted.
<jmayer> I completely agree with Ashkan's point. In other words, in a world without Do Not Track, new tracking technologies continue to result in public debacles.
* aleecia notes that asoltani is a disembodied voice from the ceiling
aleecia: Different people have different concerns. Some OBA companies may not want DNT at all, which is understandable from their perspective. Europe has a particular perspective that we should take into account, though recognie ifette's point that we can't accomodate all legal frameworks.
... so what happens if we leave here without an agreement? This discussion continues in other forums. We'd do a better job dealing with the issues here rather than fighting on Capitol Hill for the next year and half. Not fun <laughter>
... So what are our options now?
... We had 5 proposals in DC. We whittled them in DC to 2. We've whittled both closer together, but several people are unsatisfied with both.
aleecia: We could write up both in standards fashion, and get comments on both and then adopt the least objectionable. That's not a great result, but that's the default of where we go to.
<npdoty> aleecia: that is the default, but not an attractive option
aleecia: Or we could pick one. Or we could come up with new ones. Or we could go back to other options that sound better now.
... Or we could fail.
... So what should we be doing?
... Looking for guidance from people who aren't proposal authors?
Chris_IAB: I propose that if we want a solution that includes 90+% adoption, we go with WileyS's proposal. It's realistic and based on lots of years of learning and industry experience.
<npdoty> adoption immediately, i.e. in the next couple months
Chris_IAB: It's realistically implementable by industry.
<BerinSzoka> Maybe we should make like the French Revolution and re-seat after lunch according to which side of the aisle we're on: Shane or Jonathan!
jchester2: There is movement here, There is an understanding that things have to move. Consumers have moved a lot. On 1Ps, we've moved. On defaults, we've made concession. Or logging protocol data, we've moved. And I acknowledge that industry has moved too.
<hwest> I think it's important to simply accept that everyone has made significant progress and concessions
<sidstamm> hwest, +1
<robsherman> +1
aleecia: I'm reading that as support for the idea of continuing to move toward each other.
<efelten> So let's figure out how to close the remaining gap.
dwainberg: As a distant observer, the group has gotten a bit into the weeds. Rather than horsetrade, we should back up and understand the bigger picture and go from there. And we need to consider the possible unintended consequences.
<Zakim> npdoty, you wanted to ask about adoption timing
<Chris_IAB> to clarify the comment that was made after my statement, IAB was not listed as an author on Shane's proposal, but I personally support it
npdoty: Want to follow up on Chris_IAB's point. And the question of how fast adoption will happen. We need to consider adoption rate, and how fast we want to move. Do we want to phase some parts in?
aleecia: Maybe you were suggesting that a phased proposal is the way to go. Phase 1 then Phase 2, etc if they would faciliate compromise.
tl: Don't want phased proposal. If folks lag on implementation we have option options as browser (duh-duh-DUH)
<Chris_IAB> I like the "let's get out of the weeds and see the forrest statement"-- Shane's proposal will likely have 90+% industry adoption in no time. Are we here to get a "DNT win" or are we here to keep hashing something out until we ultimately kill it?
jmayer: I want to second the phasing point. To the extent that comlanies are going to have to implement new tech, totally reasonable to giving cos some grace period to implement if that narrows the gap.
aleecia: This was discussed on a call and industry didn't really want that approach.
<Chris_IAB> see the forest guys...
erikn: What should we do next? We should focus on text. Talking in abstract not terribly helpful.
<justin_> +1 to erikn
<jmayer> I've had more conversations with ad companies than I can remember; some really wanted phase-in, others didn't. Mixed response.
erikn: Going through the points will help move us toward the center.
rvaneijk: The proposal I have is to focus on added value of DNT. The WileyS proposal just reflects a lot of what the DAA has already done. Starting at Do Not Target doesn't really focus on the added value of Do Not Track.
... We need something extra from this process, not just existing self-reg.
hwest: On phase in, phase out, we can't decide that until we know what spec means.
WileyS: I see the counterproposal from EFF as aspirational. I don't disagree with their aims, but will require significant cost and time to get there. We should agree on what we can do now NOW and then work on technical, standardized approach to dealing with the other aspirations in EFF/Stanford/Moz proposal.
... We should immediately begin working on those issues, and one day they could become the DNT standard. But technology isn't there yet.
<hwest> I don't think that's reflective of industry
aleecia: So you see your proposal as Phase 1 and EFF proposal at Phase 2 but with no time limit?
<hwest> In terms of phase one/two and the two proposals
<npdoty> WileyS: we could, suggesting a second round of this Working Group
<npdoty> <laughter> on "job security"
<BerinSzoka> I'd say this is more like Job than a job
WileyS: Yes, there's no planned Phase 2 for this group, but we should have one. Job security <laughter except from aleecia>
aleecia: We could have two standards that come out of this group.
WileyS: I strongly disagree with THAT. Would be too confusing.
aleecia: How is that not what you just said?
WileyS: It's not responsible to put out the EFF proposal as a standard right now.
... Too many blanks to be filled in at a future data. Can't reach those aspirational goals today. Two standards might be worse than none.
... And eventually that proposal could supplant the interim (?) WileyS proposal?
aleecia: So what you're saying is you like the direction of Jonathan's proposal, but it's not baked yet?
<npdoty> supplant the original DNT, rather than "interim"
WileyS: I don't think it's achievable yet?
npdoty: Could we bridge the proposal with MUST/SHOULD language?
<Zakim> npdoty, you wanted to comment on MUST/SHOULD, or iterations
<justin_> I don't think advocates would be comfortable with that.
<rigo> avk ifette
ifette: SHOULDs are problematic in the spec. SHOULDs may create unreasonable expectations from users and regulators. I'd like a spec with all MUSTs.
<npdoty> I do recognize the concern about SHOULDs, I was only proposing it because maybe it could be an attempt at a middle ground
<npdoty> ... and give people a direction/confidence in a future iteration
rigo: I don't think a version 1 debate will spare us from testing out the pain points of how far industry is willing to go today. Also, big issue of trust --- will industry come back to the room for a rematch?
... But that said, it's a valid option.
<johnsimpson> I agree with Ian. Specs should be musts. Where I suspect we disagree is what the musts should be..
<WileyS> Fair - amend proposal to "MUST" from Industry proposals and "MAY" for advocate proposal
<Chris_IAB> how about we get a balanced v.1 spec out, see if it works, and go from there?
<Chris_IAB> iterative work
<Chris_IAB> seems rather agile, actually
ifette: As far as a version 2, would be better to circle back. My reading of jmayer et al proposal is "We don't want 3Ps to have a record of your browsing activity." But industry approach is: "We charge based on impressions, and that valid business model can be done without violating privacy."
... We need to find a way to charge people while protecting privacy. jmayer may point to papers, but I think more research and testing needs to be done to make sure CPM (etc) model can be done with privacy respected but without rampant click fraud, etc.
aleecia: We could have two last call docs, first the WileyS approach, and second the jmayer proposal that folks will have to get to eventually (?)
<npdoty> ifette: wait for a certain successful deployment of a technique, and only then standardize that as an additional version [am I capturing that right?]
aleecia: that's in line with what you propose, to spend more time on the jmayer proposal but to implement what can be done today TODAY
ifette: I want to make sure that jmayer approach is implementable before we put it in Last Call.
... I can't vote yes on a LC until I know it's implementable. That's my bottom line.
<hwest> Last call should not be fragmented, IMHO
SusanIsrael: I agree with that. We should implement what we can now while commiting to work on the harder options. But it's somewhat unclear, which is why we can't put in a LC document today. But would like to have a commitment to work on another LC later.
<Simon> Speaking from experience (CableLabs has put out alot of succesful specs) any spec will need revision as technology changes. Need to get something out that can be used now.
tl: Let's presume the only thing we're concerned about in 3Ps having total view into browsing activities. If they can do what they want to do without that, great. But if they can't, those are illegitimate business models. (Don't want to bless short-term?)
<npdoty> susanisrael, I'm curious how we could phrase those commitments
jmayer: This may be soundly rejected. But it may be worth it to have a very difficult conversation on PETs. It will be very technical and uncomfortable, but there are some wonderful technical people in this room who can chart a way to move the ball forward.
aleecia: Yeah, we often do that, are we usually disagree. So that gives me pause.
Arvind: The researchers have done all the necessary research to find privacy-protective ways to achieve your business models. But just saying "Hey, we need new research."
... isn't fair.
<npdoty> are there ways to encourage iterations to move forward without waiting for a new standardization effort? could we say "best available and feasible efforts"?
Alan: Not saying that we need new research. Question about whether Google, Yahoo!, etc can implement. But concerned about two standards. If we have two, regulators are going to want to require Version 2 right away.
... Unless we bend over backward to say that Version 2 is not implementable today (which some would object to!) concern with two different standards.
Chris_IAB: Clarifying earlier statement. Want to be clear that we can't boil the ocean. Over the last two years, I've created technical spec with IAB. Any company that subscribes to agile development would say let's put out now what works, test, iterate, and then evolve the spec.
... That's how it works on the industry side, and by and large, everyone has over time adopted v1, v2, v3, etc.
... By boiling the ocean, you stop something from getting to consumers. Getting something workable today is a win for DNT and advocates. We'll find out from v1 if we need to do more.
... If there are complaints, then we start a new working group.
<npdoty> is there a clear way for us to determine exactly how many complaints are necessary to support a new iteration?
jchester2: I appreciate what WileyS and ifette are saying, it just won't work to have a phased-in approach. Regulators and advocates want a reasonable standard TODAY. Industry approach as is is unacceptable. Let's get the proposals closer together and continue to evolve.
... Won't be acceptable to say "let's do an OK approach and then wait ten years and fix later."
<Snarky cross-talk>
<jmayer> Chris_IAB, it's hard to focus on the conversation when you keep interrupting. Could you please add yourself to the queue?
aleecia: Why aren't we just putting the two docs out for vetting? Because both are objectionable to a large swath of folks.
... Has anyone moved from "Can't live with" to "Can live with" on either of these proposals?
<Chris_IAB> jmayer, sorry, I was following your previous examples :)
aleecia: No one seems to have moved.
<npdoty> "easier to live with"
<Chris_IAB> but in any case, I believe the scribe got it right here, so go ahead and read up
aleecia: We are still in the world of pain. If we flip a coin, either way we lose. And we've received feedback from regulators around that world that industry proposal is not sufficient.
<npdoty> I'm also in the category of not being familiar with all the details of latest proposal from Shane
aleecia: And we've had feedback from jmayer standard that current proposal is not implementable.
... So we fifteen minutes. No one has any bright ideas.
<justin_> Why not Zoidberg? (CDT proposal)
<npdoty> justin, maybe we could do a comparison or merge of the CDT proposal with the latest from Shane et al. and Jonathan et al.?
rigo: There are some pain points. The pain points are not as bad as some might have us believe. Seeing the differences in details will help advance us significantly
BerinSzoka: No cost opt-outs don't scale.
... It seems to be that we are all here because we've assumed that we're assuming a certain low opt-in-to-DNT threshold.
aleecia: scolding BerinSzoka for not staying on topic.
hwest: A lot of us have a problem with multiple LC docs. We very much don't want a fragmented approach, and that's what two LCs does.
aleecia: Does anyone really want multiple LC docs? (No one raises hand)
efelten: We only get ONE bite at this apple. When we get a consensus proposals, then all the forces we talked about earlier come into play.
... Echoes erikn's point that we need to focus on text.
... Let's talk through nuts and bolts and stop claiming "everyone want this" and "no one wants that"
<james> +1
<npdoty> efelten: a focus on text
asoltani: Echo idea that merging the proposals is the best way to go given the political pressure.
... Maybe we should have DNT-beta --- you can respect one of two proposals. Let consumers opt for which one they want. We'll then have metrics as to what people want. It's a little bit complicated, and not necessarily the right idea, but could work as a back-up plan
<rigo> +1 to ashkan, W3C can organize joint development around DNT v.2 Beta if this has sufficient support
<WileyS> Wasteful suggestion - doubles implementation overhead
<hwest> Let's focus on moving forward instead of the "what if it doesn't work" ideas
aleecia: And of course, you might see different treatment of users, because users might see firewalls, paywall, etc. So not a survey but test of different implementations.
<justin_> +1 to WileyS on this point!
<rvaneijk> I rather see one DNT than forked versions.
aleecia: This testing assumes that good data would actually change anyone's mind!
<sidstamm> +1 hwest ... phased deployment and versioning adds confusion and implementation overhead
rigo: W3C can organize this testing.
<npdoty> I think Ashkan was talking about not getting behaviorally targeted ads, like "Do Not Target"
ifette: I understand asoltani's basic point. But I don't think that anyone in this group would be willing to offer and support a "Do Not Advertise To" signal and continued to offer free content. Users need to see consequences.
<asoltani> clarification: DNT:0 = unset, DNT:1 = shane's proposal , DNT:2 = eff/mozilla
<asoltani> if many people send DNT:2 but sites only support DNT:1, then we need to revisit
ifette: Key point: Don't see how we can implement jmayer's approach without significant hit to revenue. Until we get to the point that we're comfortable with understanding the economic impact, you won't see implementation.
<npdoty> 'until we actually get to the point where people are confident on the effect (in terms of revenue) they aren't going to implement'
<sidstamm> asoltani, how do users express consent for tracking (as per each proposal)? negative numbers?
ifette: The industry proposal, we understand what we think the impact is going to be. Not knowing the impact is holding back the jmayer proposal?
aleecia: So what do you propose to get industry to get data?
<npdoty> ifette: need to be able to show the impact of a proposal, details on data
ifette: Get a big third party to implement it and publish the results.
<BerinSzoka> Well said, Ian. When I said that "No Cost Opt-Outs Don't Scale," this is precisely what I was talking about: not just the default question but also the question of users making choices that don't reflect real-world tradeoffs inherent in exercising DNT
<asoltani> sid, settings needs to have 4 states. unset, allow tracking, opt-out of targeting, opt-out of collection
ifette: jmayer keeps saying that client-side scales. Google has bought companies who had this business model AND IT DIDN'T SCALE. We've really tried. So this is why I'm skeptical. I understand aleecia's desire to move forward, but we have no data points to say how jmayer model will work.
aleecia: But none of this has seen proven data point that this will work.
<rigo> I think W3C can offer a framework and platform to test out stuff, organize research, help with acquiring funding for advanced development and test things out
<sidstamm> asoltani, thanks
aleecia: we're low on time. If you have a new point, then you can talk.
<susanisrael> +1
<hwest> +1 - this will be an iterative process if it's going to succeed
Alan: Not sure we only have one bite at the apple. We may be able to finesse this to allow iterative approach that satisfies everyone.
<rigo> kind of stable + unstable approach and moving
tlr: Timing is slipping --- need to figure out what to do about charter.
<susanisrael> my +1 was to the idea that this will be an iterative process. That was my point rather than the fact that only one proposal is acceptable. Let's work through text, do what we can agree on, and agree to keep iterating
tlr: Current working assumption is that at some point we'll announce an extension of the charter without a change to the scope of the charter.
<jmayer> Thanks for taking great notes justin!
tlr: If there are changes to the scope that people think are important or desirable, come talk to me.
... Enjoy your lunch.
<BerinSzoka> drinks tonight: Tracktinis for all!
<aleecia> Time to get started again...
<npdoty> scribenick: jmayer
aleecia: talking about user agents
... talked before, day before microsoft announcement
... mostly about anti-virus software now
... some language in TPE, not Compliance
... looking at a couple issues
npdoty: new members, here's how to join irc
aleecia: thanks
... help available if you need it
... back to issues
... talking about ISSUE-150
... start there
<aleecia> A given device may have multiple sources of user preferences, for example a browser could have a DNT user setting, plus an add-on or plug-in could have a DNT user setting. One DNT choice must be sent. We do not specify how conflicts are resolved.
aleecia: decision that while there might be conflicting user choices on a device (e.g. browser + plugin/addon), leave it to those sources of preference to resolve
... language pasted in irc
... looking to get consensus, hear dissent
tl: middle part should not be normative
aleecia: move to example section?
tl: ok
aleecia: npdoty is editing in realtime
... proposal: new paragraph with former middle part, example section
dwainberg: doesn't this interact with the defaults discussion?
aleecia: yes, for example, if mozilla doesn't have DNT on by default and a plugin does, they have to reconcile
... could imagine the same by IE
... up to user agents to resolve conflicts
... in other words, it's related to defaults, but a separate discussion
<cross-talk managing queue>
<bryan> Re "One DNT choice must be sent", does that mean any and all Web user agents (any Web-enabled application) must send the same value for a particular default or domain? Multiple UAs/apps in a single device would need system-level support for that. Any device that did not provide such support would be inherently non-compliant. Is that what is intended?
bryan: asking question pasted in irc
aleecia: how about rephrasing, you must not send more than one DNT value per request
bryan: to be clear, we're not saying every user agent / app has to have the same setting
aleecia: right
<dwainberg> Would a program setting DNT outside the UA, e.g. injecting into the http request, be an "intermediary"?
hwest: concerned about a different issue
... but related to defaults
... if this is just about sending only one value per request, ok
aleecia: ok, yep, seemed an easy point of consensus
<erikn> ISSUE-150?
<trackbot> ISSUE-150 -- DNT conflicts from multiple user agents -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/150
ifette: what about identifying who set the preferences?
aleecia: that's ISSUE-143, a separate discussion
ifette: less fine with this if information about attribution isn't there
tl: don't like notion of attribution, adding lots of information to user-agent
aleecia: again, ISSUE-143, another conversation
... group ok with text?
<crickets>
aleecia: moving on to ISSUE-149
<hwest> I think the group will need to confirm that we're ok with that text once we address 143
aleecia: roy added language about on vs. off vs. unset
<hober> ISSUE-149?
<trackbot> ISSUE-149 -- Compliance section for user agents -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/149
aleecia: section 3 in tpe, determining user preference
... comments?
<rigo> scribenick: rigo
<scribe> scribe: rigo
hwest: two choices may not be sufficient. Alternative to unset or only two
AM: minimum of two is currently in the spec
HW: we have an open issue on that. Not fixed yet
AM: show of hands of
Roy: this is what the choice that is offered to the user
MTS: questions: Does not allow for a german user "an" "aus"? and a tool that only send DNT:1
... so even a tool that only sends DNT:1 must be able to be switched off
npdoty: even with the current text that would require at least on and off
jmayer: does that mean that uninstall is sufficient?
<jmayer> Or if the browser offers a "Disable" option, is that enough?
HW: DNT should fully implement the Specification
AM: is it sufficient to remove tool
HW: no
<asoltani> what if the notice is in the privacy policy?
<justin> That's not in the spec yet.
<asoltani> in for example, http://www.google.com/policies/privacy/
<jmayer> I think this conversation is conflating different issues: notice, defaults, choices, ...
adrianba: 1/ lot of discussion about tools and add-ins. user agent has the collective thing that user uses, including all plugins
2/ spec talks about the ua have to offer choices, but offer is not defined (how choices are offered is out of scope).
jmayer: language proposal: instead of offer (user agent has to do something) "a user must be reasonably able to ". Any tool must be able to put the user in one of those states
MTS likes this
<justin> hwest, can you elaborate why we should prescribe that a privacy-protective add-on must be able to send DNT:0? What's the point?
tl: dislike this. If I have my add-on to only should send DNT:1.
<justin> That's totally fine.
<justin> I have no problem with a DNT:0 add-on that doesn't send DNT:1
<justin> If it's installed deceptively, I am comfortable informing the FTC about this add-on.
<tl> justin +1
aleecia: would you be comfortable having an add-on that only makes DNT:0 headers?
tl: yes
<adrianba> If the user can turn off an add-on in their user agent then the user agent (as a whole) offers a way of turning the signal off
<WileyS> Ian made my point (individual vs. collective)
<hwest> justin, it's the DNT0 plugin example - would you be ok with that? What if it's loaded without user interaction?
<justin> hwest, yes I'm fine with a DNT:0 plugin.
ifette: agree with Jonathan (laughter). User must be able to express on off or unset. If we look at individual tool than must be able to express all. If the entire environment (adrianb's point) than should be sufficient
<justin> If it's loaded without user interaction, I look forward to the cy pres award funding my work for the next several years.
erikn: does DNT:0 have to be supported?
AM: what requirements on what you want send, what is the minimum bar we have
<npdoty> can we just delete the whole paragraph? user choice requirement is present above
hober: does a UA have to do 3 options, that is distinct from the UI question of how to present that. People are concerned about limitations on UI to must be able to express 3 states
<BerinSzoka> I just wanted to know how this conversation intersects with negotiations between sites and users
tl: some UA like tor browser -> defaults on high privacy. tor - browser will not offer dnt:0. Should they be non-compliant
<BerinSzoka> might sites offer plugins to turn off DNT:1, for example?
<justin> This seems like a different point.
jmayer: practical impacts 1/ if we set must on DNT:0 every single implementation is non compliant
... 2/ there is a UI implication, you have to have a choice
<erikn> (a choice that can't be a checkbox)
<BerinSzoka> my question simply put: It's important to me that we don't do anything to thwart negotiations between sites and users because, as I said before, no-cost opt-outs don't scale. So my specific question is: Might sites offer plugins to users as an easy way of either turning off DNT:1 OR creating an exception for their site/network as a quid pro quo to gain access to content?
<justin> I don't think anyone is saying that DNT:0 needs to be presented clearly and prominently --- just that it needs to available.
jmayer: 3/ same sementics could be done out of band
<justin> BerinSzoka, plugins aren't how sites will do negotiation. We have separate mechansisms for allowing the negotiation you're discussing (in-band and out-of-band consent).
<justin> BerinSzoka, I mean, they can require a plug-in if they want to, but there are easier ways.
rigo: need for on off unset needed for consent. Also the ecosystem is a bundle with the 3 options
<justin> I would strongly object to saying that DNT:0 must be as prominently offered as DNT:1
ifette: good to have concerns, but requirement is limiting to the point that a user shouldn't be forced to uninstall, symmetry of turning on and off being equally painful or easy
brooks: AVG and so on: none of those are UAs, so should we accommodate. "Able to do HTTP request".
AM: how does that affect
<npdoty> Ian, is this what you're talking about?
<npdoty> A user agent MUST make it equally easy to configure their agent to each of a minimum of {two|three} choices for a Do Not Track preference.
brooks: AVG is just changing an entry in the registry, not issuing HTTP request
aleecia: different issue that we take differently?
brooks: it is bundled
aleecia: re-defining user agent is not next 15 min
rigo: tie it to ISSUE-151 because it also requires exception mechanism to be present
<npdoty> ISSUE: what are the implications on software that changes requests but does not necessarily initiate them?
<trackbot> Created ISSUE-153 - What are the implications on software that changes requests but does not necessarily initiate them? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/153/edit .
AM: tools that change settings, but do not issue HTTP requests
adrianba: I disagree that symmetry of UI is necessary. I think how options are offered to a user is up to the user agent. Products should be free to compete on this basis.
dwainberg: are we in issue freeze?
aleecia: only at last call
... 1/ on off unset
2/ implicit on off by uninstall
3/ on off unset per entire system
aleecia: started with 2 options, nobody supported that
so opposition between one option and three options
<npdoty> adrianba, was your point that we could leave this paragraph out and leave it up to the UA?
4/ need on and off and unset and same level of effort to set on, off or unset
<justin> ifette, So on the symmetry point, you think we should prescribe that upon install (or in settings), everyone would need to offer equally weighted options for "do you want to tell websites not to track me" and "alternatively, do you want to tell websites they can track you all the time"? We want to put that in the spec?
Chris_IAB: question to tl: What exactly is the problem with disabling the feature. What is the rationale not being able to set off
tl: we should not increase complexity of simple tools
... browser add on will just turn on DNT:1
<bryan> what is being referred to as "the whole ecosystem"? if by this it's meant (as Rigo suggested) that a system-level setting MUST be provided for all user agents on the device, that is *possible* but is unlikely to be *enforceable* given the diversity of devices, UA types, and Internet software stacks.
<aleecia> queue closed
<npdoty> does "Keep My Opt Outs" satisfy the principle of user choice?
<BerinSzoka> but here's my question: What happens when a user running the DNT:1 plugin tries to negotiate with a site to get access to content? Will the user have to remove that plugin on his own before getting access?
<BerinSzoka> if so, won't that frustrate negotiation?
<hwest> Nick, no, Keep My Opt Outs is a blunt tool - my understanding of this working group was to have a more effective, nuanced tool rather than a blunt object a la existing tools
<justin> BerizSzoka, no
<BerinSzoka> I ask in ignorance
<BerinSzoka> how would this work?
<BerinSzoka> would the exception negotiated by the site simply supersede the general preference set by the plugin?
<justin> BerinSzoka, The industry proposal requires that UAs need to be able to handle exceptions.
<BerinSzoka> ok, so to respond to Tom: the plugin wouldn't "just" set DNT:1; it would also have to allow exceptions
aleecia: bryan wants to have a setting per user agent, not per device
<BerinSzoka> right?
ifette: should not be limited to DNT:1 tools.
<tl> BerinSzoka: Yes. Add-ons can break things. If I installed an add-on that disables cookies, that would likewise break things. I don't think sites should be able to ignore preferences that come from simple tools.
aleecia: 1/ user agent must be able to do one choice
<justin> BerinSzoka, I think tl's assumption is that the browser will be able to handle the exceptions. I do not believe that the advocate proposal requires dealing with exceptions.
aleecia: 2/ three choices on, off, unset
<tl> Also, I am not in favor of the industry proposal.
aleecia: 3/ 3 choices with equal effort of setting of all
<BerinSzoka> so, Tom, just to make sure I understand clearly: you envision plugins that would make negotiation impossible because they couldn't process exceptions? the user's only recourse would be to uninstall the plugin that "breaks things?"
tl: only signal on the wire
... should not specify user must configure. Signal means the user has made a choice if you see the signal
... nothing represents my opinion, not the first
<bryan> +1 to Tom's suggestion: we should talk about expressions over the wire and not how they have to be manageable in UAs
tl: would delete the sentence. Must reflect the users choice ... and no sentence on offer choice
dwainberg: where do we make that choice? OS, UA, ecosystems
aleecia: we talked about plugins, user agents
... something that can change the value of an HTTP request is one issue
dwainberg: want to get that first
aleecia: will re-open later
<susanisrael> sorry if this is resolved, but to the point david is making, is it possible that different user agents could be treated differently? and have different requirements?
jmayer: question: there me be a substantive difference: around when a browser claims compliance with the spec, we want at minimum to express DNT:1
... difference is that it would be installed and does just that
<hwest> I think this discussion is whether or not we want to have blunt tools or fleshed out tools
aleecia: what is threshold for sufficiency...
<schunter> ian: want to speak?
<bryan> I think the inability to nail down what a user agent is (e.g. in terms of the diversity of ways in which Web-enabled clients can be built and deployed), indicates that the best approach is to remain silent on this UA configuration point.
aleecia: straw poll
for silence: 14 hands
for three choices: 23
<tlr> for rough magnitude, we're fine
for one choice: 14
aleecia: if you can't live with one choice
7 people can not live with silence
16 can not live with 3 choice
aleecia: fairly even split
<justin> And that's not even accounting for required symmetry!
<BerinSzoka> "Do you prefer 2 over 3?" This is like having an argument with your ophthalmologist! "Better 2, or better 3?
<npdoty> ?
<npdoty> ACTION: aleecia to issue a call for objections on symmetry/minimum number of choices [recorded in http://www.w3.org/2012/06/21-dnt-minutes.html#action01]
<trackbot> Created ACTION-214 - Issue a call for objections on symmetry/minimum number of choices [on Aleecia McDonald - due 2012-06-27].
Resolution: MTS and Aleecia will issue a call for objections
=============
aleecia: We had 8 page table and had an incredible amount of agreement
<ifette> ScribeNick: ifette
Aleecia: Back in DC we had lots of tables where people had a lot of agreement, and a few disagreements
... we were going to write this up, Aleecia ended up doing this
... would like to work through this as much as possible, do some live editing
<npdoty> http://w3.org/2011/tracking-protection/drafts/combo-draft.html
Aleecia: and get pieces we appeared to be near consensus to actual consensus
... this "should" be easy
... going to skip to Section 2, information practices for all parties
... going to go through this, please scream/q+ if you want to speak against something
... additional voluntary measures (reads)
... reads 2.2 user permission and consent
<susanisrael> i would like to return to some of these definitions at some point as i believe they are not as precise as intended.
hwest: how granular do you want to get
aleecia: want this to be the language in spec
hwest: well then
... first sentence, consensus was closer to "a party is not bound by these requirements" as opposed to "a party may now do these things"
aleecia: ok
hwest: an out of band consent for option b (just say "an out of band consent")
... we need to be clear/consistent around "consent" vs "choice mechanism"
aleecia: "choice mechanism" will probably cause us less problems
hwest: a party is not bound by these guidelines if a user grants an exception to that party/parties
tl: disagree, out of band consent may not be "please ignore my dnt signal"
hwest: fine with language "as granted by the user"
aleecia: please, IRC
... ya'll (hwest+tl) work on that
rigo: assumes permission and consent, out of band, we have two
<hwest> "A party is not bound by these requirements and guidelines to the extent that a user grants an exception to that party or parties"
rigo: for dnt:0 we have in-band consent
<hwest> tl, does that work for you?
aleecia: you're saying we have a and b but there should also be c
<tl> What's the URI of the doc that npd is editing?
aleecia: i understand
... (third option for you receive dnt:0 not by an exception but because the UA is sending dnt 0)
<justin> tl, http://www.w3.org/2011/tracking-protection/drafts/combo-draft.html
aleecia: thx
... think jmayer next
jmayer: since we're discussing language, don't intend to substantively change meaning but instead clarify
... sites may override dnt preference if they receive explicit informed consnet
... seems contradictory
... propose party may engage in info practices otherwise prohibited by this specification if a) b) c)
npdoty: can I combine with heather's sentence?
aleecia: same idea
<jmayer> Here's what I just read: "A party MAY engage in information practices otherwise prohibited by this recommendation..."
johnsimpson: don't understand MUST vs SHOULD here
... when seeking an exemption, sites MUST communicate these requests clearly
fielding: MUST is a hard requirement, won't occur successfully without this
... SHOULD is MUST unless you have a good reason not to
... read RFC2119
http://www.ietf.org/rfc/rfc2119.txt
scribe: in SHOULD case there may be good exceptions but you don't know them a priori, for MUST you have to list the exceptions apriori
<tl> Everyone should read RFC2119
<tlr> +1 re RFC 2119
<tlr> http://www.ietf.org/rfc/rfc2119.txt
npdoty: reads
<tl> hwest, how about: When a user provides a party or parties with an exception to one or all of these requirements and guidelines, that exception overrides their DNT signal.
schunter: should be more general, through other means
aleecia: oob consent handled in other doc
<justin> As I have noted before, approval of the language around consent for UGEs needs to be dependent upon approval of the language around consent for UAs to set DNT:1 in the first place. The point is worth noting, but I don't want to interrupt the convo . . .
rigo: Matthias says this section doesn't apply, but we then don't get to meaning of dnt0
... may be tweaking necessary
... in another section we may want to define what dnt0 menas
... have to make sure this section doesn't contradict the other one
aleecia: open issue
jmayer: party is not bound by requirements in this section - presumably there are things not just in this section that applies
... anyhow "this section" seems ambiguous
... believe intent is anything prohibited in the doc is now allowed
... haven't discussed level of specificity
aleecia: section -> document
... ?
jmayer: specificity
... "a party is not bound by"
... they are bound, just not required to do so
... document still has force, they just are not required to do certain things
aleecia: text?
<jmayer> resend: "A party MAY engage in information practices otherwise prohibited by this recommendation ..."
ChrisPedigoOPA: section "MUST comply with and align with consumer protection laws..." is problematic
<hwest> jmayer, that's the direction I was going for too, that looks fine
ChrisPedigoOPA: its assumed you will comply with the law
<robsherman> "applicable law"?
ChrisPedigoOPA: when you say operate, rigo can correct but operate is a dicey term in the EU
<efelten> +1 robsherman
aleecia: debated to death around comply with law
... not attempting to get in jurisdiction
... only looking at normative sections
... close on this
<jmayer> The language now only provides exception from "...for All Parties"
<jmayer> Should be broader, right?
aleecia: reads "a party may receive conflciting signals, specific overrides general, ..."
tl: stuff about what should go in the status resource should go in the TPE
aleecia: which sentence
tl: if a party chooses to track based upon... must indicate ... supply a link
aleecia: if a party chooses to track based on prior consent, their response must be as defiend in the TPE etc.
<tlr> +1, don't put normative language about protocol into this spec.
aleecia: just point to the TPE, take out the middle sentence
jmayer: might be two separate issues
... prior consent in mode of you give consent at some point, come back
... some might interpret as "prior consent from before you even turn on DNT"
... and even after you turn on DNT subsequently
... not sure if we have agreement there
... suggest reframe from prior consent to "consent when DNT is on"
aleecia: would add a note here, not to the point of talking about decisions prior to DNT being on
... more complex
... we not spend a whole lot of time here now, note that it's open issue
... this is issue xyz still to be addressed
... final statement in section, oob choice mechanism must satisfy following...
dwainberg: party can get permission to do whatever they want, up to that party and regulators etc to determine if they got appropriate permission
aleecia: general principle that the more granular choice is the one that controls, not the more global one
schunter: if i have a well known uri which says my whole site doesnt do any tracking, and then i have headers that conflict, headers are more specific and take precedence
dwainberg: confusion between technical specificity/generality vs
rigo: the technology actually conveys the semantics
... specific statement by the user
<jmayer> npdoty, are you still workshopping the "A party is not bound..." sentence?
rigo: equally applies that a specific always overrides general
<susanisrael> request for clarification re: prior consent. We tabled this issue, rather than dismissing the possibility of prior consent, correct?
<jmayer> I think both hwest and I were looking for clarifications there.
<npdoty> jmayer, do you have alternatives?
dwainberg: if a party puts up a big consent thing "we want you to consent to do everything"
... that overrides any little granular settings
rigo: other way round
<jmayer> resend x2: "A party MAY engage in information practices otherwise prohibited by this recommendation ...""
aleecia: you're talking about which types of things you might consnet to rather than which parties
<npdoty> "DNT: 1" does not tell you the scope of my permission, does it?
aleecia: written in a way that this might not be clear, that's important
<jmayer> maybe "engage in" -> "conduct"
<npdoty> jmayer, hwest, please duke that out and get back to me
aleecia: need it to be understandable
... specifics about specific parties
<hwest> I actually have a comment on the next piece :)
aleecia: if you are sending a DNT signal to the entire world, that is global, you can have something specific about a given party
<jmayer> hwest, are you good with that language?
<hwest> But can duke out this piece too
aleecia: that thing specific to the given party trumps the generalized signal
npdoty: fact you received dnt1 doesn't imply it's general to whole world
tl: only applies to this network interaction
aleecia: dont have to worry about specific vs general, just say OOB trumps DNT signal
schunter: principle is ok but need to spell out instances
... OOB trumps signal, response header trumps well known URI, etc
<jmayer> hwest, [14:31] <hwest> jmayer, that's the direction I was going for too, that looks fine
schunter: spell it out
<hwest> Yes, that still works, jmayer
aleecia: try for that now
<jmayer> Ok. Nick, please swap it in.
<hwest> But I like the out of band consent trumps general anything language
<jmayer> That seems to be the consensus view.
tl: if i have a bunch of settings on a site, that i dont use regularly but they have widgets all over, nd i get a new browser and i turn on dnt1
... but i haven't gone back to that site to modify the preferences
... think its ok because im setting dnt1
hwest: comment on next piece
susanisrael: quick clarification, earlier we dismissed idea of prior consent
... not asking to talk about now
... but think we tabled issue of prior consent
... that might remain valid despite a later setting
... as opposed to dismissing it
... clarify here
<jmayer> message was that heather agreed
tl: question is if i've gone and opted into xyz or only opted into a couple of things, THEN i turn on dnt1
... and they have added more features since then
... their state about me is incomplete
... would they then assume that the DNT applies only to the things that i've already picked, vs newly added things
<JC> Too complex
tl: or am I opted into things that werent previously options
<Zakim> ifette, you wanted to say if you didnt go back to that site you didn't go log into that site
ifette: you are talking about prior consent, i will hold my comments until then
npdoty: OOB may override an expressed DNT signal, suggesting as replacement for specific overrides general
hwest: can we enumerate "an oob may override a DNT:1 and the other option we put in"
tl: think perfect
fielding: confused
... OOB overrides DNT signal period
... it overrides
<rigo> +1 to Roy
fielding: feel MAY is problematic
aleecia: also feel MAY problematic
... anyone want to fight for MAY?
jmayer: segue
... as we did before, get rid of "override" and say "you MAY do things inconsistent with elsewhere"
hwest: "or you are no longer bound by this signal"
... instead of re-granting permission, say "the requirements in this spec no longer apply" written nicely
jmayer: same fix from above
hwest: similar, yes
fielding: opposite of what i just said
... reason to say OOB overrides DNT is so that a user who has set DNT:1 globally
... has a means of still consenting to the one website they have an interest in having tracking enabled
... if you make taht optional, user can't use OOB to do thayt
jmayer: consent is not "and you must track me down"
tlr: guess wondering where we are
... editors may be in a position to rpoduce a strawman
aleecia: trying to do that
tlr: at a point where discussion is editorial
... let editors do another pass for later review
aleecia: basically happy with this, modulo roy's point
... if we move forward, hwest in queue for next section
hwest: generally when we talk about policy, we dont talk about an ordinary user, we talk about a reasonable user
... is that change OK?
aleecia: fine
hwest: anything else on OOB?
aleecia: great, reasonable user must understand
... skipping next non-normative section
... moving on
<hwest> I do not believe that we had consensus on 2.3 Unidentifiable Data
aleecia: skipped over unidentifiable as we haven't yet gotten consensus here
... will talk about later
... moving to additional requirements based on party status
... pulled out to have informatin practices for first party
... at bottom
... think we can agree on "1st party must not share with 3rd party that 3rd party is prohibited from collecting itself"
... reads
ChrisPedigoOPA: can also cover offline data
<jmayer> While I would prefer some bright-line rules around out-of-band consent, like the EFF/Mozilla/Stanford proposal, I'm willing to compromise on the "reasonable user" approach.
tl: disagree with "if it covers offline that's a problem"
ChrisPedigoOPA: host of case law about offline data
... going back 200 years, publishers have collected information off line about their customers, much case law here, this is out of scope
aleecia: great, next?
<james> out of scope
rigo: have trouble with "receive"
... creates a lot of issues we shouldnt have, what we mean here is collect not receive
aleecia: receive -> collect
robsherman: may be overreading, in which case need clarity, but DNT signal is supposed to be scoped to an interaction, here 1st party must not receive/collect data about a user
... broader than "an http request"
... other users e.g. can post info about you on facebook
... "I'm with Aleecia at MSFT"
... that's not intended to be in scope of this document, e.g. "Nick can't post about her"
... this sentence might imply that
... in my example npdoty is another party. FB cannot receive info from npdoty if aleecia has dnt on
WileyS: our definition of third party excludes users
robsherman: don't think this is intended company is never intended to receive info, e.g. billing relationship
aleecia: billing is outsourcing
... if you can give me problematic example please do
amyc: general observation, don't think we've defined "share" etc
<robsherman> Can someone point me to the definition of "outsource relationship"?
amyc: if we haven't defined key words, we may place obligations on publishers to montior all third parties
<susanisrael> +1 to need to clarify definitions
amyc: look at each verb we use
dwainberg: how do first parties know what third parties are prohibited from receiving
aleecia: from the spec
dwainberg: any third party may have consent
... api or OOB
... first party needs to know
tl: ask third party
<npdoty> A <a>party</a> <dfn title="share">shares</dfn> data if the party enables another party to collect the data.
dwainberg: shouldkn't it be up to third party
... if third party gets info they dont have consent to receive, their job to comply witht he spec
aleecia: coming up on 15h
... 30m break
... piece that came out that we have not taken on as a group is, so far we've been saying "no sharing in and out"
... hearing from chris that's problematic
... barely skimmed the surface
... should capture as a new issue
... more time on this
<jmayer> I thought we had agreement on this principle a long time ago.
ChrisPedigoOPA: have agreed first parties won't share data with third parties
<jmayer> We're technology agnostic -- first parties can't give third parties data they can't collect themselves.
ChrisPedigoOPA: question about bringing in other data to a first party still up for debate
... problem with offline data being covered under this standard
... requiring that a first party can't get data from a third party isn't an issue here
... third parties can't collect the data anyways except for specific conditions
aleecia: not sure if that is the case
ISSUE: Are First parties allowed to use data (either offline or online) from third parties
<trackbot> Created ISSUE-154 - Are First parties allowed to use data (either offline or online) from third parties ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/154/edit .
Brooks: ... to go back to definition of issue
... sharing is a defined term and we're almost contradicting it here
... "cause to receive"
... that is the problem
... if i'm cnn and i put a mazda ad on my site
... brooks drives a mazda, has a mazda cookie, have caused mazda to receive info it shouldnt have
... i dont know what the third party has/knows/doesn't have/know
susanisrael: want to understand the purpose, stepping back from language, to say "we dont want to create a loophole where someone turns on DNT to prevent third parties from collecting data and first parties facilitiate this by overriding DNT and using their privilege to feed that data to third parties"
... if i understand that, then whenever we return, that's the core purpose of this? may help us get to the righ tlanguage
aleecia: may not have agreement on even what that core purpose is
... break, 3:30 return
<susanisrael> by "this" i meant this sentence not the whole spec
<susanisrael> was seeking clarification as a basis for addressing the language
<npdoty> scribenick: amyc
Aleecia: starting session on proposal
... asking for scribe for final session, will be Nick
<npdoty> (npdoty to scribe final session)
Aleecia: Shane will present his proposal
Shane: not just my proposal, cosigned by multiple parties
... objective in intro, goal is DNT that will advance user choice beyond existing options and be implemented by significant portion of ecosystem
... part 1 is parties
... similar to advocate proposal, affiliates with easy discoverability
... commonly owned and controlled, similar to DAA
... affiliate list link to be provided within one click
... of page
... meaningful interaction, common ground here too
<npdoty> rigo, how about machine readable as one option? or a SHOULD?
Shane: owner or operator of site, or widget interaction
... service providers is new text, although discussed before
... also considered first party if performing services on behalf of first party
<npdoty> what does it mean to include permitted uses if you're a first party, which has all uses?
Shane: third party is everyone other than first, service provider or user
... cobranding may make 2 or more first parties
... Rules that first party can go about business as normal, can't pass data to 3rd parties
... data must be segregated, third party must not aggregate together data from first party sites
... no profiling, open to defining profile definition to be proposed
... third party cannot leverage profile to change user experience, when DNT is on
... party (first or third) cannot share data with another party when DNT:1, unless service provider
<npdoty> does that get us in to the same question about combining offline data?
Shane: outside DNT context, but wanted to note that data collected or received may be combined with first party data, DNT does not cover offline data
TL: if I am a first party, I can look at generally available data to combine with my own data?
Shane: Yes, because public info or gathered with prior consent so OK to combine
<npdoty> but 3rd parties can't combine your data with offline data
Shane: party may choose to purge, but not required to do so, just can't use
... permitted uses apply, user granted exceptions override
... Permitted uses more limited, express and detailed
<npdoty> doesn't freq capping alter the user's online experience?
Shane: For all uses, the following will apply, includes no profiling, no altering of experience
Efelten: what is profiling?
Shane: assembly of data across multiple sites gathered to predict user interest
<npdoty> wileys: profiling 'assembling data about a user across multiple sites and then using it to alter a user's experience'
efelten: processing or gathering?
Shane: making assessments based on data
... will work on succint definition
... if you do not have collection purpose for specific permitted use, then colleciton is not permitted
<npdoty> wileys: if you don't have a specific permitted use, then collection is prohibited
jeffchester: is this first party or third party
wileys: this is third party
... rules mostly apply to third parties
<Zakim> rigo, you wanted to say that we should have the list in a machine readable format as defined by TPE
wileys: to claim permitted use, you must provide retention period(s)
... reasonable technical and org safeguards
... can suggest that more is better
... public purpose, such as emergency protection and IP, is covered
sean: wanted to clarify response to Jeff?
wileys: allow first party use within first party context ok, third party use of data outside of first party experience is not OK
... but could use third party data to alter first party experience
jeffchester: concerned about tracking
Rigo: but first party can write this back into third party profile?
JC: asks Rigo to clarify?
wileys: may need visuals
... security permitted use, includes fraud, detection and defense
... don't want to have DNT used for antisecurity purposes
... next area is financial purpose, billing and audit compliance, requires uniqueness for user interactions
<efelten> "This is necessary for ..." should be non-normative, right?
wileys: need to retain proof or receipt for what was billed for
... list of billing scenarios
jeffchester: what is time limitation? IAB writes standard contracts for timing. what are best practices for timing for billing and frequency caps?
wileys: also have legal obligations for billing, state and securities and contractual
... don't know exact timeframe
jeffchester: what is typical timeframe?
wileys: think three years or more, will check with IAB
<npdoty> does Financial Purposes include whether a person of a particular historical profile has seen this ad?
wileys: frequency capping, simply a counter, may be used across multiple dimensions of ad experience
ifette: can frequency cap be shared with other third parties?
wileys: uncontemplated in this proposal
Rigo: how identifiable?
wileys: unique cookie, anonymous
<npdoty> pseudonymous?
Rigo: pseudonymous, and attached to page on which ad was seen, isn't this profile?
<npdoty> frequency capping does alter the user's experience based on their browsing history?
wileys: expressly call this out as permitted use, wanted to be clear
jeffchester: how does creative versioning or sequencing affect?
wileys: this is form of OBA, would cease based on DNT
<aleecia> of note: frequency capping data can be used to uniquely identify users, as per recent research
<npdoty> wileys: "creative versioning" and "sequencing" isn't part of this permitted use
<justin> I thought we had reached agreement in Brussels that sequencing was going to be considered tracking.
<justin> And it sounds like we're still in agreement.
wileys: debugging, scoped for repairing site errors
... replicate user experience to fix site
Roy: with user consent?
wileys: not intended to require user consent
... but in 1 to 1 interaction, may be consent based on user complaint
... last is aggregate reporting using unlinkable data
... outside scope of DNT
... is a time period to collect data before aggregating
... related to grace period discussion
... some examples of aggregate reporting
... went from 8 to 5, and 5th is out of scope
TL: any prohibited collection?
<npdoty> does someone have a diff on the 8 vs. the 5? would that help anyone?
wileys: if no permitted use, then collection prohibited
<justin> Combining multiple permitted uses into a newly named permitted use is not a reduction in permitted uses.
TL: wants to see differential between currently collected data and what would be permitted here
jeffchester: does retargeting or modeling apply to market research?
wileys: not profiling or targeting to individual
... can explain more offline, modeling is different than market research
JohnSimpson: third party could track on one first party site, as long as segregated
<tl> WileyS: [responding to tl] This is mostly about use, not collection.
JohnSimpson: but if site has 60 affiliates, a third party could track across all of that
wileys: a service provider, because the 3rd party could only provide back to first party
<npdoty> to follow up on that, users will continue to see behaviorally targeted ads, provided by a 3rd party, just based on your history on that site and affiliate site?
brooks: question about fraud
efelten: limits on retention?
wileys: must disclose
efelten: could keep for 100 years?
wileys: yes, but will face scrutiny of regulators
johnsimpson: could an ad network be a service provider?
wileys: depends on business model, could provide this service as service provider if segregate data, limit view only to that first party
Rigo: do you have independent rights?
wileys: not as service provider
<scribe> ... new area of explicit user choice
UNKNOWN_SPEAKER: will skip non normative text
... heard input from industry and browser vendors
... reading nonnormative text
TL: when a party does not comply with DNT signal from uA because they think not compliant, are they complying with DNT signal?
wileys: lets go through rule set
... explicit and informed consent
... must also have link and explanatory text
... any UA claiming compliance must have exceptions
... server may respond that UA is noncompliant if they believe noncompliant
... server must relay this info to user
... servers must defend why they reach decision
... but can't reject all DNT signals as noncompliant and still claim compliant as a server
jmayer: want to understand scope of product improvement permitted uses
... and market research
wileys: now saying that can use aggregate data, not individual data
jmayer: goal is what?
wileys: you can use aggregate data for multiple uses
jmayer: can collect individual data to aggregate data
... is there a time limit as to when aggregation must occur?
tl: in 4(c), if I only get requests from IE, but no other browser, am I compliant?
wileys: not realistic question
tl: what if you only think one obscure browser is compliant, and everyone else is not, what happens?
wileys: if server expresses what they are doing, OK
... appropriately responding to what you believe to be invalid UA
Thomas: for error response, have you considered granularity request
... per request, rather than per software
wileys: think you are making distinction between protocol discussion and compliance discussion [not sure I got this]
npdoty: does choice have to be separate as well as explicit and informed?
wileys: open on this point personally
aleecia: let's go quickly through rest of section
<justin> "Separate" for UGEs was rejected in DC, FWIW.
wileys: unlinkable outside of scope, included definition
<npdoty> this sounds like the FTC report suggestion on unlinkability (in terms of downstream contracts)
Roy: many data sets are unlinkable by nature and do not need to be de identified; add "or"
aleecia: what suggestions do you have for Shane?
schunter: what is purpose of UA section? site can decide how to service user
wileys: this would be the same as interpreting as DNT1, and I disagree with that. User should be offered opportunity to have another browser
rvaneijk: AdChoices has more transparency, added value in closing section
... did you think about road to compliance? this is DAA plus proposal.
... EU legal compliance
wileys: don't want to have eprivacy debate here. will be adding proportionality text
... notes that implementing regs and interpretation still developing. Could use technical infrastructure.
<Zakim> rigo, you wanted to talk about list of affiliates
rvaneijk: extra homework very important
rigo: on affiliates, must be one click away on each page to affiliate page
<aleecia> we can do one more question after Jeff
<aleecia> Then close the queue
rigo: can't this be machine readable?
<aleecia> Last question to Adrian, then
wileys: already in TPE spec, has optional location for domain list, now this is human readable approach
... must have human readable, machine readable is optional
<aleecia> MeMe, I'll ask you to take your question to Shane on break
Rigo: hard retention periods necessary, especially if number of years
<npdoty> +1 on must have human readable discoverability on affiliates, may have machine readable option
<aleecia> (sending results to IRC would be great)
<aleecia> sorry
Rigo: bargaining position different
<meme> no worries aleecia
justin: if browser puts link and prechecked link on first page, is that express informed consent and who decides?
<aleecia> queue is closed; Jonathan please be ready to walk through your proposal at the end
wileys: each server must decide, and defend that decision
justin: should have a site that lists of software they don't like?
... fractures DNT experience
... if someone sending fraudulent signal, then legal action appropriate, not fracturing DNT
<npdoty> justin: why not go after, take a cause of action, against a vendor who turns on DNT:1 without the user's permission
<rvaneijk> For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html
<aleecia> MeMe, perhaps add your question on IRC now if you'd like?
wileys: want mass implementation of standard, need balance, already have large number of third partis that they would not implement DNT with that standard
justin: why not sue Microsoft
<tlr> aleecia: stop it, both!
<aleecia> Roy, we've closed the queue after Adrian
<aleecia> We have much more to discuss, I know, but need to move to the final session of the day.
jeffchester: interested in following up, rob has identified critical question about structuring permitted uses
<rvaneijk> ... without the reservation 'where appropriate'.
<aleecia> You might put your question in IRC, and please find Shane on break
<aleecia> thanks / sorry
rvaneijk: put up link in IRC
... how to accomplish goal in different ways that could be less intrusive, balance against user privacy
<meme> Section F in definitions should except out Service Providers I believe
adrianba: proposal says that UA must relay server responses to users to ensure transparency, what if there are dozen 3rd parties on single page
<dwainberg> I can't wait to see a bunch of long tail bloggers sue MS.
<dwainberg> It will make a great movie.
adrianba: understand that UI out of scope, how would that work?
<tlr> can we please stop discussion about who might sue whom?
<tlr> that's not a useful way to get this discussion to *any* reasonable place.
<rvaneijk> For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses without the reservation 'where appropriate'.: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html
<tlr> Thanks.
wileys: so many innovative user interfaces, perhaps iconic representation of DNT compliance
<justin> tlr, I am looking for an alternative to every single third party making unilateral determinations of what is compliant.
aleecia: thanks, we will spend more time reviewing
<npdoty> adrianba, is your suggestion that the user agent MAY relay the server's response, not MUST ?
<justin> tlr, I don't see why liability risk doesn't solve the problem.
<tlr> justin, that's fine. Say "there's a legal environment for that". Don't say "you could sue $COMPANY" while filling in a real name.
<justin> tlr, My apologies.
<adrianba> npdoty, I'm okay if a UA wants to display something - I don't think the spec needs to say that - I disagree with a MUST
<npdoty> scribenick: npdoty
jmayer: with pde at EFF and tl at Mozilla
... huge thank you to everyone who talked to us, reflects loads of conversations with anyone we could get our hands on
<Chapell> Justin - any suit of the magnitude you are suggesting would (among other things) stall the implementation of DNT for years
jmayer: including people who really didn't agree
... on github under my account, if you want to look at details
<Chapell> my apologies for making that point more emotionally than I'd like - as its not productive
jmayer: but for now want to look at high level direction
... motivate, what we tried to: what seemed to us like a really fair compromise
<tl> Proposal Github: https://github.com/jonathanmayer/dnt-compromise
jmayer: looked at advocates, publishers, advertisers, social networks, adequately balanced all interests
<rvaneijk> http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html
<justin> Chapell, I am not recommending such a suit. I had just posited several times in the mailing list whether making the standard more clear on requiring consent would discourage browsers from sending without consent.
jmayer: so no one will say this is what I wanted, but hoping that it might be in the direction of what we might live with
... 1) parties
http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html#parties
jmayer: in DC we proposed a definition based on user expectations, here's an example based on Microsoft web sites
<fielding> My comments are at http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0462.html
jmayer: for user expectations you'd have to look at a number of factors including domain names, branding, consumer awareness
JC: does the word "Microsoft" appear in the footer of every one of those pages?
jmayer: there may be, and I think given the logos and user understanding, these would all be the same party
... now the test is corporate affiliation
... if they're all under a single corporate umbrella, then you're done
... although we don't prefer this outcome as individuals, we think as a compromise it's a good direction given a lot of pushback in this direction
... distinction between Passive and Active
... Passive is the stuff that is sent just by virtue of having a communication (ip address, user agent, referer, etc.)
seanharvey: what do you mean by "supercookie"?
jmayer: any stateful technology in a browser
seanharvey: some alternate local storage mechanism (html5 localStorage, LSOs)
WileyS: what do you mean by "fingerprinting"? it seems like the Passive elements on your list accumulated over time would be fingerprinting
tl: active fingerprinting would be querying lists, an active step (like fonts installed available to Flash)... the best fingerprints (without sticking an identifier on the user) include active steps
WileyS: maybe you should define or make a distinction between different types of fingerprinting
jmayer: happy to have that discussion, but think there are certainly some bright lines for what is "Active"
<WileyS> Note to AdTruth - you've now been but in the same bucket as anyone who uses cookies. :-)
jmayer: passive information can be collected without any limit, kept in the near term with no limit but must be unlinkable in the long term
... but for active collection, you must use something unlinkable, something low-entropy
<amyc> long term is 2 weeks+?
ifette: does this apply both to 1st and 3rd?
jmayer: just 3rd parties.
sharvey: can you quickly define "near-term" and "long-term"? and how firm are those timelines?
jmayer: beyond "near-term" for us is 14 days
... not something like months
<chuckling and/or chortling from certain members of the audience>
jmayer: there are some exceptions
... particularly security/fraud -- all bets are off and we won't second guess
... what if personal information is embedded without your knowledge, etc., but if you actually know about a certain data, they should remove it for DNT users
dwainberg: I thought there were some limitations on security/fraud prevention
jmayer: 1) how long do you get to keep passively collected data around for security/fraud -- up to 6 months instead of 2 weeks
... 2) when you have a reason to believe; that is, not id cookies in every browser, add a cookie for IPs where you're getting a lot of requests
... and if you have a specific reason to believe, then the 6 month limit is lifted as well
ifette: cookies are active, so you can't keep set/retain cookies for fraud purposes?
brooks: when you mean "fraud", you don't mean the legal case of "fraud", you just mean the financial reporting
jmayer: click fraud, impression fraud, advertising fraud ... not getting into questions of criminal fraud
<james> while issue of security and fraud needs more thinking
fielding: distinction between slides/draft -- is the language and the substance consistent?
jmayer: this presentation was attempted to be high-level
dwainberg: step us through, what would a party do between first contact and when they reasonably know fraud may be undergoing?
jmayer: protocol information for 6 months, plus active measures for 2 weeks [may have mis-scribed that]
... this was based on talking to people at companies about how they do this now, that the most commonly used input is protocol logs, not the only input but the primary input
... also tried to verify how much better off would an attacker be?
<cspiezle> we need to look at a broader view of fraud, beyond ad click fraud
jmayer: a number of companies confirmed that they wouldn't be better off because adversaries already employ clearing/modifying cookies
robsherman: when I do have reason that fraud may be ongoing, how do I engineer my system to put a cookie on just the fraudster's browser?
jmayer: a variety of levels of concern about fraud; some companies were fine with just protocol information
... some companies, including ad companies, were more sensitive and did engineering that was dedicated to fraud
... a lot of online ad networks we talked to already had a two-tier system in place, with more techniques employed in those cases
<cspiezle> my concern wearing the hat of commerce and banking sites is to be sure we do not lmit or imapct their ability to detect suhc behavior.
Chapell: first parties pretty much have a free pass, except for not getting around third parties, right? -- yes. -- that seems to contradict tl's comments earlier, are we misunderstanding something?
... use of offline or other data combined with a first party's data, the earlier discussion
jmayer: business practice is like a newspaper that gathers data about the user, and then append the data from an offline party to the first party's profile of the user
Chapell: if Acxiom were here, they might argue that they're a service provider, so you might need to change that in the text
ifette: protocol includes "top-level url", you mean the full URL, not just the hostname, right?
<aleecia> Roy tells me Chris got ack'ed too early -- sorry, Chris!
jmayer: yes.
<justin> Chapell, If Acxiom were to commit to following the outsourcing/service provider rules, I suspect (?) that would solve this problem.
<aleecia> That makes Chris next
ifette: how many companies did you talk to that didn't use cookies for DoS of attacks?
<Chapell> Justin, I'm not sure - you may be right. But I think the offline data brokers would argue that they are outside the scope of this spec
jmayer: companies that already had cookies do use them now, but companies seem to think they'd be okay without them (not all companies)
<fielding> my bad
cspiezle: on transactional fraud, don't want to impact their ability (like banks, etc.)
jmayer: if you're trying to prevent fraud on your own (first party) site, this wouldn't have any impact, you can do the most intrusive tracking if you like
... you can share threat intelligence, limits lifted if there is a reason to believe
<justin> Chapell, That may well be the case --- it's just that you had suggested they would say their service providers. They might prefer to utilize/resell the information they receive as a result of an append. I do not know about their business models to know common practice on this.
<asoltani> 'innocent unless proven guilty' fraud detection approach
jmayer: certain companies where all they do is follow financial transactions, look for users' whose machines have been hacked -- would want to talk to them more about that
fielding: typically those groups are acting on behalf of a first party, but they store behavioral trails from multiple sites
<cspiezle> they are working on behalf of first parties
jmayer: wanted to solve the 95% use case
<cspiezle> perhaps small number of servce providers but they may provide services to 100,000 of commerce sites, banks, ISPs....
alex: given a currently unknown threat vector, attacker only has to change their protocol information every 6 months. can't go back through 2 years of data.
jmayer: yes, there would be that limit.
<aleecia> So I'm going to click on something a lot, and then stop, and then wait six months and then do it again?
<aleecia> And it won't get detected?
<dwainberg> Sort of like that, aleecia
jmayer: if you haven't caught someone trying to do click fraud within six months of doing it, then you won't have that data afterwards
<dwainberg> couldn't you roll out hundreds/thousands of user agents on a large number of IP addresses, engage in low level click fraud and have it add up to a lot of money.
jmayer: not generating this out of the blue, some companies thought they didn't need more, some companies wanted more, thought it was a compromise as many advocates were concerned about a browsing history for 6 months
WileyS: was one of your design considerations ready availability, scale and mass adoption?
jmayer: the privacy-preserving technologies that we have in mind include many that advertisers have said are unworkable
<rigo> and having a full clickstream of all of us for the past 10 years (at least) would be the dream of all spooks, wouldn't it? And we don't allow that for a government but allow the government to raid this private collection? I seriously question some of the asserted need for those extraordinary retention periods
jmayer: technologies where I see a consensus among researchers do work, though they would have some implications
<WileyS> Please note "implications on performance and revenue"
jmayer: no doubt that there's a runway period / grace period
<WileyS> Fail
WileyS: given that there's a disagreement between researchers and implementers, did you take mass adoption (by companies/implementers) into consideration?
jmayer: yes, talking to companies, aimed for balance, a guiding consideration
JC: if we're talking about multi-site behavioral data, why does DNT have any effect on Acxiom account data?
... that's not behavioral information, so DNT doesn't apply
jmayer: flows like these identified as a concern in small groups at Washington; very discrete sharing of information
JC: worried about scope creep
jmayer: focused on things that are not as narrow
<aleecia> JC would like DNT to address OBA; people involved in DNT earlier on see DNT as applying to data more generally. (If this is not write, please correct)
dwainberg: top-level domains and referers, many cases of 3rd-party ad-serving where top-level domain info isn't shared (because of iframes, etc.)
... sometimes you'll receive a domain name that isn't the top-level domain but an intermediate iframe
<JC> aleecia: I don't limit DNT to OBA, but online collection of data
<aleecia> ok, thanks for fixing that
jmayer: if you don't get the Referer in the header but it get it somewhere else (passed along as a URL parameter, for example) -- that's passive collection in the same sense, some advocates thought this was a concession but it happens with some frequency
dwainberg: can you share the list of companies you talked to?
jmayer: commonly have permission to talk to companies without revealing who they are, companies can identify themselves but I'm not comfortable doing so
... I thought it was a broad representation of both size and market sector, including more companies than I recall, including companies inside and outside of the WG
<JC> What is punishment?
tl: some organizations talked about concerns sharing regarding trade associations
hwest: concern about misrepresentation
<tlr> I don't think it's useful to think about this in terms of representation. This is Jonathan's take of where the industry is.
<tlr> He may or may not be right.
jmayer: tried to present it adequately, including qualifications in almost cases
<tlr> Now we need to have things about the impact of these ideas on the table here.
<aleecia> thank you, Heather
<aleecia> Thank you, Alan
<aleecia> Let's get through the discussion if we can
dwainberg: what do we do if there's a new fraud attack that requires changing these requirements?
jmayer: have to evaluate the likelihood of such a new attack, have an implementation period, can revise specification
<BerinSzoka> Well, if Jonathan's not concerned (about the unintended consequences of his rather grand proposal), that's good enough for me! </sarcasm>
amyc: operational practices such as billing with "Active" -- I'd like to understand that better
<efelten> Let's keep the tone civil, please.
<amyc> specifically, want to understand whether Jonathan thinks it is OK to use LSO or fingerprint for operational uses
jmayer: instead of having a billing exception, passive/actively collected used for a period of time for any use
... design motivations
<tlr> which I believe he did when he handed him a microphone
jmayer: based on current advertising company practices, including opt-out practices
... make it possible for external verification of compliance
... concerns about updating the standard whenever there's a new business model or business purpose
... don't want any new company/model to have to get a standards body's permission to explore a new business model
... give a protocol retention period given how many companies talked about how useful it was
<Chapell> While I recognize the importance of maintaining confidentiality when speaking with companies, and I certainly don't question TL or JM's ethics -- its very difficult to vet the accuracy of the claim that industry was widely consulted about this proposal without a better sense of the nature of the companies you've spoken with
jmayer: defaults
... this proposal says DNT can't be on by default, a concession as I and some others believe it would be a better policy if they could
... servers don't get to "second-guess" an expressed header
<Chapell> "industry" is a broad term -- sort of like "human" ---- some similarities, but lots of differences... making generalizations and extrapolations difficult
alex: external verification as a motivation: why would privacy advocates be against internal verification like audits?
... audits of internal operations, for example
jmayer: I think external verification is important: strong role of encouraging compliance, researchers and advocates can work with regulators to discover issues, invite media or public pressure
... this would allow that mechanism to continue working
... also gives consumer confidence
<aleecia> And then we'll be closing the queue, since we're done at 6
alex: but why don't you like internal audits? for example, when a party needs to collect some data
jmayer: these were advantages I saw to external rather than internal
alex: but can't you get all those advantages from internal audits? mathematically proven unlinkability can be audited for
WileyS: said advocates were making a significant concession, but creating an exception that swallows the rule. because DNT:1 would still have to be followed.
jmayer: gives an extra lever to say that browsers that set it by default are not in compliance with the W3C spec
... possible legal measures, public pressure
... couldn't claim to following the spec (which could otherwise be a deceptive practice)
sean: thx for presentation. didn't address exceptions/out-of-band consent...?
aleecia: not part of the original template folks were supposed to cover
fwagner: do you expect a complete overview of all affiliates of Microsoft? would that list ever be complete?
jmayer: believe it's very similar to the proposal Shane presented; I would hope that it would be mostly complete although maybe there would be some edge cases (cover the 95% case)
<erikn> Aleecia wanted a few minutes to wrap up.
<erikn> which I think is useful
<aleecia> we could talk easily another hour
<schunter> meetings should be 24*7 ;-)
jmayer: I believe this could deviate from user expectations and an area where regulators have expressed concern, so I think it was a substantive concession
<aleecia> on either proposal
fwagner: can you make a clear difference between unlinkability and anonymity?
jmayer: borrows some from DAA concept on deidentifiability
... not asking for Arvind to proof your data
... does ask for significant steps, beyond dropping an ID cookie, more like aggregation
<fielding> I heard no justification for why outsourced service providers are listed as an exception instead of being part of the definition of same "party"
fwagner: from a European perspective, collection of data while it's identifiable is still a problem with European regulations
<cspiezle> we nned to accept business users may opt in by defualt for all of their devices and users. We need to be sure we respect this even though the user did not turn on DNT, but the owner of the device did. Second ISPs could offer a pre-configured browser for max privacy and security protections. If a user accepts the browser with DNT =1 then this option needs to be respected.
schunter: jmayer talking about meeting his standard, not a guarantee of satisfying EU regulation
schunter: thanks for a productive discussion, civil ("no flying tomatoes ;)
... always talk about the differences, sometimes we set aside how much agreement we have
<aleecia> Ideally we have greater understanding walking out now
schunter: actually have a lot more agreement than we had, we're just not talking about those parts any more
<aleecia> Address is in the agenda
JC: caddy-corner for NE 8th & 110th, please bring your nameplates
... if you get lost, call JC! :)
... doors open at 8 o'clock, food arrives at 8:30
optional self-hosted dinner present here:
http://www.w3.org/2011/tracking-protection/agenda-2012-06-20-bellevue.html