Tracking Protection Working Group Bellevue Face-to-Face

20 Jun 2012

See also: IRC log


+1.813.366.aaaa, hefferjr, dsinger, Bryan_Sullivan
schunter, aleecia


<npdoty> Internet connection info is on the whitescreen, although if you're reading this....

<npdoty> <sings Happy Birthday>


<npdoty> scribenick: npdoty

schunter: welcome back, thanks for coming back
... happy with the progress so far
... identified two major proposals and a lot of areas of agreement
... and a very lively discussion on the mailing list
... in working order and we are working cooperatively on finding solutions to our challenges
... appreciate the time you put into this group and the constructive feedback


schunter: still have some work to do
... don't need to debate the wordsmithing, but figure out what pieces we can or can't live with
... not to aim for perfect solution, but what are the key points that I cannot live with and focusing on getting agreement with these points
... feel free to make little groups over coffee to work out issues, which can be even more efficient
... agenda review and looking for scribes
... 1. Welcome and Goals
... finding solutions

tl: introduce yourselves and note the observers

schunter: +1, go through introductions around the room after this session

<Chris_IAB> I would scribe, but I am only an "observer"

<asoltani> jjj

<tl> Chris_IAB: That's the best place to scribe from!

scribe volunteers: dwainberg, justin, rigo, Ian, AmyC, jason

<Chris_IAB> yeah, I'm not in accord with that...

<Chris_IAB> if I'm only an observer, I'd like to observe :)

<dwainberg> is there a cheat sheet on the web with the scribing syntax

<dwainberg> ?

<tl> Chris_IAB, Scribing is a great opportunity to follow the conversation very closely!

<scribe> scribenick: dwainberg


Jon Mayer ...

scribe: Justin Brookman,
... Vinay G

Brooks Dobbs....

(sorry, I'm missing some)

<robsherman> ...Rob Sherman

Mike Zaneis

Thomas R


<Chris_IAB> sorry, who is "tl"?

<Chris_IAB> you have a non-transparent IRC name

<sidstamm> Chris_IAB, tl is tom lowenthal

<npdoty> <applause for our hosts>

<npdoty> I'll share the full attendee list since we won't get everyone's details in this go-round

aleecia: thanking companies that provided support

<npdoty> huge thanks to Microsoft for hosting, and to Yahoo, Facebook and Google for financial support

aleecia: [reviewing the agenda]
... Mission of the TPWG is to improve user privacy .... (from the charter)
... we need something that works for users and that can be adopted by biz
... [reviewing dates]
... dates are aspirational
... we were looking for a last call doc in June, we'll see if it happens, even if we don't, we need to publish something out of this meeting
... WG issue freeze
... aleecia filled in dates assuming last call, and padded it out
... Getting to closed
... we start with an open issue, use texts to have discussions, and get to consensus text, then closed issue
... issues can be reopened based on new information
... w/out new info or new text the issue will remain closed
... we can have formal objectsion
... if we have multiple texts, consensus is on the least objectionable proposal
... chairs will identify consensus for the least objectionable path
... it is about substance, not about volume, "me too's", etc.
... WileyS: there is not agreement on this process, can we set that aside as a separate issue


rigo: this _is_ w3c process...it's about sustained opposition

<npdoty> If you're curious about w3c process: http://www.w3.org/2005/10/Process-20051014/

tlr: [reading from the process doc] "where unanimity is not possible, ... in establishing consensus, the WG must address legit concerns of members.... it is desirable that a large majority accept...

<npdoty> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus

tlr: ignore the above (old process doc vesion)

<npdoty> <ignore earlier tlr, reading out of date version>

tlr: current version: "in some cases a group may be unable to reach consensus.... dissenters cannot stop the groups work....if chair believes group has considered dissenters views they can move on
... consensus ... [reading from the process doc]
... it is a general practice to look for the least objectionable

ian: can we highlight the process for moving a document to last call?

tlr: upon consensus of the WG

aleecia: typically we do not have a vote, but last call could be a time for a vote

<BerinSzoka> Here's the W3C process document that was just read from: http://www.w3.org/2005/10/Process-20051014/policies

<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#Consensus

<BerinSzoka> note the section on Consensus in particular http://www.w3.org/2005/10/Process-20051014/policies#Consensus

<tlr> an additional piece that I didn't read to you: Groups should favor proposals that create the weakest objections. This is preferred over proposals that are supported by a large majority but that cause strong objections from a few people. As part of making a decision where there is dissent, the Chair is expected to be aware of which participants work for the same (or related) Member organizations and weigh their input accordingly.

<tlr> http://www.w3.org/2005/10/Process-20051014/policies.html#managing-dissent

aleecia: formal objections happen at decision points. FO authors must cite technical basis.
... group can resolve right there, or there is a w3 process, which can go up to Berners-Lee
... if one thing is reversed, there can be an entire dependency chain
... not unusual to have multiple formal objections
... questions?
... (none)
... What's new?
... issues about IP

<npdoty> Rigo Wenning, W3C's Legal Counsel

rigo: is w3c's legal counsel. There were messages on the list about alleged IP issues.
... discussion of the issue on the mailing list has stopped
... w3c can create patent advisory group
... w/ committment to royalty free, the issue is resolved, but if can't resolve quickly, will create advisory group

<npdoty> if we can resolve just by getting a W3C royalty-free licensing commitment, then we don't need to go forward

rigo: formal procedure, with fixed membership, members only, no experts, no observers
... w/ discretion of chair invited experts can be invited to the group
... private meetings, but the result will be public, with suggestions to the wG

<npdoty> deliberation in Member-space only, with a report to the public

rigo: w3c patent policy says clearly that a standard cannot be covered by IP
... there will not be a spec that is encumbered with IP
... important not to give in to panic; we will resolve this.

<npdoty> for questions, grab Rigo in a coffee break

aleecia: on the mailing list; currently it is world readable/writable
... and we're seeing problems
... the chairs will bar contributors who are contributing IP w/out an agreement, or who are disrupting the group
... problem of people contributing IP over which they have a patent
... we need to be careful to keep those things out
... questions?

justin: how does it work; anyone can join, are they required to give up their IP before they can join?

rigo: w3c has a complex framework. Members follow w3 policy. Invited experts sign a form on an individual basis. Observers haven't signed anything, so we have to be careful.
... this is the chair's task to be careful about this.

<npdoty> patent policy details: http://www.w3.org/Consortium/Patent-Policy-20040205/

aleecia: this will be posted w/in the next week.

tlr: one clarification; we have an obligation to respond to comments from the public after last call.
... WRT current members, we're having issues. People are complaining about tone.

<npdoty> people not reading the list because it makes them ill to read it

tlr: Social competence is a key component for WG membership.
... We're getting to the point of having problems.
... Please self-moderate.
... Last piece; we also need a way to take public comments.
... Will set up a public comment list, and we will need to respond to those public comments.

WileyS: Is there a private list as well? What is it?
... Does that exist? Can someone explain its composition.

tl: we do have a private list. By charter it is only allowed for organization, logistics, etc. But no substantive WG content.

<adrianba> Member list archive -> https://lists.w3.org/Archives/Member/member-tracking/

tlr: archive for the private list shows 7 messages from Nov 2011

aleecia: we have new people involved.

<npdoty> (and I don't believe that the Member mailing list archive is currently visible to our Invited Experts)

aleecia: we're seeing exec level decision making descend on the group
... we're suddenly working at executive speed, and it's bogging down the process
... Also external pressures. Press.
... Increased Congressional interest in the US.
... UK "implied consent" for cookies
... NL prior consent
... Art 29 calling out DNT as inadequate
... may have to send out last call for comments twice

<npdoty> "we're doing something unusual and special"

aleecia: thanks to all for doing this work. It is important. It is important to a lot of people. The stakes are high.
... [talking about dinner plans]

<tlr> "new information"

marc: Process question. A decision about one section could hinge on another section that we've not discussed. How do we loop back?
... Troubled or concerned about how that plays out in a rational way.

aleecia: Mostly applies to the compliance doc. For things that have dependencies, we have put those issues together. It is much easier to do it issue by issue.
... for things that are interlocked, we'll just have to do them together.
... if you have specific things in mind, call them out.
... Does that answer your question?

marc: I think so.

npdoty: This may also be "new information"

aleecia: I've tended to be much more willing to go back to issues. This starts to change as we get closer to closed.
... Next we have editors. David is not here, so Roy will do a quick summary on TPE.

Presentations of the Working Drafts

<npdoty> editors' draft of TPE: http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html

<npdoty> and compliance: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html

Heather and Justin presenting on Compliance Doc

hwest: not many changes made since Washington DC

justin: lots of options in the doc

hwest: options, notes, issues are color coded in the doc
... things not called out are close to consensus

justin: major issues.
... 1. definition of parties and consumer expectations

<Chris_IAB> Nick Doty, please note that Shane Wiley of Yahoo! just sent a formal request to add the IAB as "invited experts" to this TP Working Group; Could you please reply today? Thanks :)

justin: advocates have largely conceded on this

hwest: next piece is permitted uses; what can that party do for operational purposes. We've been treating those together.

justin: parties and unique identifier are biggest issues
... advocates argue there should be no unique identifier; industry argues there should be a number of permitted uses allowed using unique ID's

hwest: the draft at this time does not reflect recent discussions.

justin: not much concern anymore about 1st vs 3rd definitions
... some discussion of need for definition of "tracking" and "collection"
... Section 5 on user granted exceptions. There's some discussion on what is needed for consent.

<npdoty> I'm happy to help with editing if we want to do things in real time or each evening /cc: hwest, justin

hwest: that sums up the big issues

justin: take-away -- don't look at the compliance doc right now (laughter)

(roy presenting on TPE)

<npdoty> I haven't added that functionality (toggling non-normative text) to the live editor's draft yet, but it's ready to go

roy: Defines what goes over the wire.

<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html

roy: Status is; we have made changes since the draft in DC. Major areas of change are the tracking response proposal. We've merged Roy's and Tom's proposals into one version, but not sure if they're happy with it.

schunter: The point of this section of the specification is to specify how a server replies to a UA. I perceive agreement on parts, but we'll discuss later.

roy: (displaying diffs on the overhead)

<npdoty> fielding: I think we addressed those Community Group comments, though I'm not quite sure

roy: change; site-specific >> user-granted exceptions

schunter: (describing options for user-granted exceptions)

<npdoty> fielding, johnsimpson, jchester2 -- we should confirm whether we've addressed the CG comments, and if we need to document that, we can do so

<johnsimpson> @nick They were addressed orally in DC. I think those slides were supposed to be sent to us. I don't think they were.

<npdoty> haven't formally reviewed http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining

fielding: (continuing to describe diffs)

<npdoty> (fielding's changes on defaults and requirements for setting a preference)

fielding: added issues 111. There are some new issues since the last working draft. We'll cover later.
... other major change is the response section, where it was two proposals, resource and header field, now it uses both, depending on context.

schunter: context. If you want to tell a party it's ok to track. There's user-granted in the spec, and out-of-band, where site continues to get DNT:1, but site can respond it's not honoring because it has out-of-band consent.

<npdoty> section to review (per fielding): http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#responding

fielding: Tk header field is the combination of proposals. Confirm that what you want in there is in there.

schunter: Roy did a great job merging proposals. But the combination is not 100% perfect. What should go into the UI? What should go into the headers?

<aleecia> Checkin notes dlist is here: public-tracking-commit@w3.org

<aleecia> I'll send that to the dlist

schunter: Roy listed attributes you might want to communicate; we have to decide which are needed. But we hope not to need all.

fielding: last topic; user-granted exceptions. dsinger has been working on it.

<dsinger> added the exact model of what happens

<dsinger> added the cancel calls

npdoty: Major changes are adding a method for web-wide exceptions, starting w/ Shane's text, and API for removing exceptions.

<dsinger> added the web-wide exception

npdoty: We want feedback from other browser makers.

<dsinger> added notes and issues

aleecia: What happens if we're not able to come to agreement?

What does the landscape look like?

aleecia: What does 6 months, 12 months... look like if we do not have DNT?

jchester2: I'm sure we all feel a responsibility for global users of the internet. ... Without a standard, we will see an escalation of the demands of privacy groups across the world for regulation and greater protections.

kimon: (responding) EU regs are about storage on the client, but DNT is not really about storage.
... but haven't been able to get much out of politicians as far as what they actually want to get out of it.

<npdoty> kimon: EU already has a strong legal framework

kimon: would like to make it interoperational with existing OBA framework.

rigo: Had talks with a company in Japan. They are watching the outcome of US and EU.

WileyS: If this group is unsuccessful, a DNT standard will still emerge. It does not need to be one from a w3c standard.

BerinSzoka: Has been involved in the space for over 4 years. Lots of trade offs. Worry about this process breaking, and leading to a regulatory solution that's less able to deal with tradeoffs.

<npdoty> WileyS, you were also making a point that it might not be universal, but it would still be satisfactory?

BerinSzoka: Examples: A DAA standard outside of this process would be politically difficult. Congressional hearing, it was made clear they wouldn't support a DNT standard that does not comply with headers.

<npdoty> BerinSzoka: re: James Grimmelman testimony

BerinSzoka: Also, FTC could be tasked with writing the standard.

<npdoty> BerinSzoka: a standard from outside this process (from DAA) would likely be unsatisfactory to that audience

BerinSzoka: Markey and Barton have been co-chairs of privacy caucus. Their letter made clear they reject a standard that does not allow DNT to be set by default. They also reject a number of other fundamental assumptions of this group.
... Very likely that if this group does not produce a workable standard, we'll see something crafted by regulators, who have little understanding of the issu.
... in fact this will be resolved by people on the hill.

<npdoty> scribenick: justin

ifette: Google hopes this doesn't fail. But we started with a self-regulatory regime (DAA) that has been implemented by most third-parties, so there's a willingness to do something here.
... Some we came into this process because we realized that DAA process was sub-optimal (have to go to website, cookie-based so not persistent).

<npdoty> a vast majority of the third parties that I believe we're trying to target covered by DAA program -- is that right? I thought we had agreed that these issues applied well beyond behavioral advertising

ifette: But over time it's become clear that group believes that DAA not enough. And WileyS's proposal does make real concessions.

<npdoty> ifette: there are meaningful concessions, this is beyond the DAA program, not just putting DAA opt-out into the browser

ifette: Obviously, some are pushing for a prior consent before tracking, especially in Europe. I am worried about the *pandering* being done around this issue. I don't believe that the world will move to opt-in model if this group fails.
... Europe's opt-in model hasn't worked. And to be fair, the DAA model hasn't worked either.

<rigo> +1 to Ian

aleecia: queue is closed --- be focused!

hober: If this working group fails, we'll need to look to other solutions to protect users' privacy

aleecia: what does that mean?

hober: It will depend. <cryptic!>

aleecia: Give me some options

erikn: I'll take a shot at that
... We're not trying to be dodgy --- we want this to work.
... But we are in agreement internally that we need to do something to protect user privacy.

aleecia: from a browser perspective?

erikn: yes, that captures it. But we really want DNT to succeed and to be the answer.

rvaneijk: Without DNT, there will be enforcement actions in Europe. A lot of people have put hopes on meaningful do not track.
... We need to make process the next three days. There are two ends of the spectrum: do-not-collect vs do-not-target. We need to find the middle.
... The statements of the Congressmen and the Chairman on the FTC (?) all push more for the do not collect approach.

fielding: My hope is that DNT does (?) work out. But don't push for DNT on by default.
... As a protocol editor, I don't want to go through the process of grappling with a DNT by default universe (?)

<efelten> FTC and the Chairman have said that DNT should be Do Not Collect, with narrow exceptions.

<sidstamm> +1 to advocating for "don't track users without consent" but not enabling DNT:1 by default

<tlr> Roy: If you want DNT to be on by default, ask for that to be the default with *no* signal. Don't mess up the protocol.

fielding: DNT should express user preference which can't happen by default. There will be regulation on this if this doesn't work, but it will be focused on the default issue (?)

<npdoty> fielding: for advocates, please don't go out there and ask people to turn on DNT by default, instead ask for regulation that DNT be the regulatory default because it won't need changes to the protocol, or any changes to HTTP protocol, the IETF process

spiezle: We need to focus on the consumer perspective. Lacking trust is hurting our business models.

<npdoty> fielding: I expect that regulation would be about tracking of HTTP requests in general, not tied to the default/DNT setting only

<tl> +1 to appropriate privacy protections should be the default, but DNT should always be the user's voice.

<rigo> +1 to that

spiezle: We're going to see legal approaches to protect users if this doesn't work out.

aleecia: Elaborate.

<BerinSzoka> I've never seen any substantiation of this this consumer trust meltdown scenario that's so often bandied about as a supposedly compelling need for regulation

spiezle: You'll see increased allegations of contract suits, class action suits for privacy violations. Even if they don't work out, bad PR issues.

<npdoty> "even if meritless, will consume a lot of cycles"

jmayer: Want to echo the Apple answer: best answer is getting a standard.
... But if this doesn't work out, the research community will be move active. They will engage much more with regulators (who right now lack expertise). Increasingly, regulaotrs have built better relationships with advocacy and research community.
... Regulators will consult with research community on potential regs. Also, research will push more for ad block solutions if this fails.
... And I don't want that outcome. It would be awful.

WileyS: That happens today even in parallel to DNT.

jmayer: It will be worse if DNT fails.

<BerinSzoka> Bully for Shane for pointing out the obvious: Jonathan's threat to build the ultimate ad blocker, etc will happen regardless

<vincent> WileyS, AdBlock will stop to block ads complying with dnt

tl: Hope DNT works, but pro-privacy users will find a solution. DNT should not be a default, but we can make other privacy choices as a browser that don't need to be off by default.

<npdoty> can we get some commitments or evidence on this point: that advocates won't need to build or advocate for countermeasures if we come up with DNT?

aleecia: I'm going to put some on the spot --- what happens to your org if DNT fails. Picking on Adobe first.

meme: From an engineering perspective, maybe fielding can say better. But I agre with WileyS, companies will compete on privacy. Don't think that's necessarily the best approach, because you lose the value of standardization.

<tl> npdoty, If we have a strong DNT standard, we don't need to.

<jmayer> The research and advocacy communities haven't begun work on technical countermeasures in earnest. I expect the pace of development would accelerate exponentially if DNT fails. Again, that would be a very bad outcome for all stakeholders.

meme: DNT is good because users can reasonably expect the same thing. Adobe is looking at competing on privacy, tho, but it takes time. And we will listen to consumers to see what they are asking for.

aleecia: who else can comment with a strong int'l presence?

hwest: Globally, we think a strong DNT standard that's not fragmented is incredibly value. If we don't have a standard, we'll keep working on privacy (as everyone else will say), but we'd like the reliability of one std where everyone knows what to expect (users and companies)

aleecia: I am expecting someone to say (which I'm not hearing) is that without a standard, companies need to go country to country.

<tl> Sounds like all of the browsers are saying the same thing: DNT is the best outcome, but if DNT isn't a viable option, plan B is technical privacy protections, and we'd rather not have to do that.

fielding: you made an assumption that having a DNT standard will release that pressure. I haven't seen DNT as a fix to cookie law --- when I talk with DPAs in Europe, it's all about YOU NEED TO OBEY THE LAW REGARDLESS OF WHAT THE STD SAYS
... which is reasonable. But if DNT doesn't reach those laws, we need to deal with them anyway.

<dsinger> the other nightmare is that if we do this at the W3C, we can publish, listen, learn, discuss, revise, and be global; regulation is not like that, it tends to be publish and walk away.

ifette: But the question is do we need to try to accord DNT to accomodate every law around the world? I don't think that's a good idea, and would be impossible. I want something that protects privacy (reasonably) and is deployable.
... We'll need to country by country anyway. I take that as a given so we don't need to bog the spec down with every possible legal requirement around the world.

<npdoty> ifette: if there are things we can address cheaply, great; if there are things that are common, great

WileyS: Another outcome the press has brought up. The escalating war between publishers and browsers. We'll get to a world of apps. You access content pre-packaged in browsers. Each of those "browsers" control their own interaction with their users.
... I hope we don't get to that.

<npdoty> +1 to WileyS, I think this is an important point on the dangers of back-and-forth escalation

rigo: Quick report from last week's OBA roundtable in Brussels. I positioned DNT as a tool to help you with regulatory compliance. There aren't 27 Robs around the table or 50 Ed Feltens (for the 50 states). A DNT tool can make compliance a lot easier, and the regulators want that too, and is a good outcome.

<BerinSzoka> Shane is exactly right: turning on DNT by default could fundamentally change digital media landscape. everyone hear should read and think carefully about "Opt-In Dystopias" by Betsy masiello & Nick Lundblad http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp

rigo: We should adapt the protocol to address some regulatory concenrs.

kimon: Regulators in Brussels stated very clearly that DNT can't fix law, but you should come up with a good technical standard, and we'll take it from there.

<BerinSzoka> but to add to Shane's point, that world may not only be bad in economic terms for the diversity of richness of media, but also for (a) competition and (b) privacy

kimon: Not very helpful to focus on the legal side. This should really be about users --- what will they expect and use. If we offer a simple solution, users will take it and it will work. We need to address user concerns.
... signal from Brussels really is DON'T TRY TO CREATE A LEGAL INSTRUMENT.

BerinSzoka: Briefly, we're talking about a fundamental change in the ecosystem. You should reach Opt-in Dystopias to consider the bad results from this world. This will be bad from competition and also for privacy.

<hwest> If folks haven't seen the Opt-In Dystopias paper Berin is referencing, it's here: http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.asp

BerinSzoka: In this world, users will have to be opting in to a LOT MORE collection of information. Is that really what privacy advocates want? (Also, less information will be available to users).

Marc: Without DNT, much of what we have that works will still be there. There was an AdAge article this weekend that says: "When 3P data goes away, power shifts to those with 1P data." I love my big members with 1P data, but real concerns on pure 3Ps who are at the table and do great things for the ecosystem.

<jmayer> I'd like to hear from OPA and publishers, if they're in the room.

jchester2: The ecosystem has already been changed by real time bidding. We have a huge data collection ecosystem that needs to be addressed. And DNT will help address that. And advocates have made huge concesssions. We need to get privacy off the table for users.

<npdoty> +1 to Marc on the concern for shifting power by company size or by 1st/3rd, we should be cognizant of this

aleecia: So let's stop repeating points. We've talked about walled gardens and paywalls. We've talked about lawsuits and trust issues. We've talked about arms races with cookie blocking. And we've talked about the problems for a lack of standardizatiton.
... We've also talked about increased tracking in an opt-in world. And potential for increased regulation (possibly written by folks without good understanding of technology), And increased regulatory attention in Europe.
... DNT can be a useful tool for compliance in Europe. And we've heard there will be more enforcement in Europe. Some browsers have said they'll do more if no DNT. And other outlets for DNT, possibly through DAA, FTC, or IETF.

ifette: Point of clarification. On your (just made) PPT, you say that DAA will be cookie-based only --- I think that DAA wants to go for a different mechanism if this fails.

FrankWagner: If we have no DNT now, we'll have increased complexity for users.

aleecia: What would opt-in look like for your sites?

<dsinger> I do think that the W3C publish-implement-learn-discuss-revise model is hugely better than slow-moving regulatory model (and, I hope better informed in the first place)

ifette: I asked on the mailing list for good examples of opt-in. I was told about the ICO and the FT. The ICO has no third parties, and the FT has "if you don't like cookies, close this window" and 50 are installed regardless.

aleecia: How do you deal with Euro std if cookies are set before choice? No one has really done this wekk yet.
... Maybe DNT can offer some ease there, if regulators might be OK with that.

Wheeler33: Two points. Publishers make a lot of revenue from third parties. The impact will be felt by 3Ps and the publishers.
... (2) Impact on users. Not clear that users really understand difference between 1P and 3P cookies. Or understand how DNT differentiates.
... There's a belief by users that DNT will make behavioral advertising will go away, and that's wrong. It will still be done, just through 1Ps.

aleecia: You're making a different point. How will it be different if no DNT.

Wheeler33: Without DNT, the money will flow better.

aleecia: That's not clear for all the reasons we've just heard.

Wheeler33: That's my answer
... AND, not clear that if this really does work, users will be confused because they don't get 1P v 3P.

<BerinSzoka> To Aleecia: I think there are actually three scenarios we need to be talking about here: (i) DNT premised on the default-off consensus of this group, (ii) DNT that is coerced to be default-on (what Wheeler is speaking to, and (iii) DNT fails--which likely leads to #2 by legislative or regulatory means

<Chris_IAB> Why is the speaker not allowed to make his position without interruption by the Chair?

aleecia: To be clear, we're talking about : "In a world . . . without Do Not Track"

jmayer: BT.com has an interesting approach to cookie law. They drop cookies, but then delete immediately if you don't grant consent. Some regulators might be OK with that.
... Want to address the economic issues. You're right that 1P and 3P is blurred. The economic impact --- not clear who will suffer. But we can be clear that 1Ps will *really* suffer with AdBlock because with technical solutions, all ads are blocked regardless of party status.

<sidstamm> Chris_IAB, he was making a point relevant to what happens if DNT *does* exist, which is not the scenario we're discussing. The speaker was allowed to make his point relevant to the scenario after the intteruption

BerinSzoka: I like Wheeler33's comments. Options are (1) DNT on when default is off, (2) this group breaks down, or (3) DNT on by default. I'm concerned about this last scenario when DNT-on is coerced by Hill or FTC which is different than contemplated by this group. This group needs to stay on track to keep DNT off by default.

<Chris_IAB> sidstamm, it doesn't matter what his point was, it's that he get's to state it without interruption...

aleecia: To be clear, the group isn't saying DNT off by default, it's DNT is *not set* by default.
... (tiredly) anyone else on this?

<BerinSzoka> I take Aleecia's point, but I don't see how it changes what I said

<jmayer> A few asked for a pointer to my paper on third-party tracking (including some economic analysis). See https://www.stanford.edu/~jmayer/papers/trackingsurvey12.pdf.

<Chris_IAB> let's not get into a semantics war here

rigo: We are all working on the assumption that no one ever changes their browser. But IAB Europe put out a very interesting poll saying that 56% of Euro users delete all their cookies once a month.

<npdoty> BerinSzoka, I think Aleecia was just clarifying; it might help us in the press to clarify that the default question is not a default to tracking, but a default to no preference

<justin_> But that could just be anti-virus, yes?

aleecia: not really on point.

<Chris_IAB> I think the gentleman was quite clear actually

<asoltani> +1

<Wheeler33> The w3c solution MUST reflect user preference - without DNT user preference remains with the users

<sidstamm> +1 to "more pressure for better cookie management tools if no DNT" from WileyS

WileyS: Another option could be better cookie management tools from the browsers. Especially in Europe to deal with cookie directive.

JC: Disagree with WileyS. Cookies don't work. Need to look at non-cookie options.

WileyS: We're talking past each other. Rigo's point is more that you may not need DNT since people delete cookies.

<Wheeler33> agree - OBA cookie targeting effectiveness drops off a cliff after 30 days

Brooks: To rigo's point, the presumption isn't that tools aren't being used, because without DNT people are finding way to express choice today.

asoltanti: One more observation: one of the benefits of DNT is innovations of tracking will be more accepted.

<Wheeler33> if there were standards for cookie deletion after a certain time period - would we need DNT?

<rigo> WileyS, that's actually not what I meant. I meant that people make a choice if we give them a tool to do that

asoltanti: Because there will be cross-technology express of preference, new technologies in innovation might be more accepted where DNT off on exception is granted.

<jmayer> I completely agree with Ashkan's point. In other words, in a world without Do Not Track, new tracking technologies continue to result in public debacles.

* aleecia notes that asoltani is a disembodied voice from the ceiling

aleecia: Different people have different concerns. Some OBA companies may not want DNT at all, which is understandable from their perspective. Europe has a particular perspective that we should take into account, though recognie ifette's point that we can't accomodate all legal frameworks.
... so what happens if we leave here without an agreement? This discussion continues in other forums. We'd do a better job dealing with the issues here rather than fighting on Capitol Hill for the next year and half. Not fun <laughter>
... So what are our options now?
... We had 5 proposals in DC. We whittled them in DC to 2. We've whittled both closer together, but several people are unsatisfied with both.

How can we move on?

aleecia: We could write up both in standards fashion, and get comments on both and then adopt the least objectionable. That's not a great result, but that's the default of where we go to.

<npdoty> aleecia: that is the default, but not an attractive option

aleecia: Or we could pick one. Or we could come up with new ones. Or we could go back to other options that sound better now.
... Or we could fail.
... So what should we be doing?
... Looking for guidance from people who aren't proposal authors?

Chris_IAB: I propose that if we want a solution that includes 90+% adoption, we go with WileyS's proposal. It's realistic and based on lots of years of learning and industry experience.

<npdoty> adoption immediately, i.e. in the next couple months

Chris_IAB: It's realistically implementable by industry.

<BerinSzoka> Maybe we should make like the French Revolution and re-seat after lunch according to which side of the aisle we're on: Shane or Jonathan!

jchester2: There is movement here, There is an understanding that things have to move. Consumers have moved a lot. On 1Ps, we've moved. On defaults, we've made concession. Or logging protocol data, we've moved. And I acknowledge that industry has moved too.

<hwest> I think it's important to simply accept that everyone has made significant progress and concessions

<sidstamm> hwest, +1

<robsherman> +1

aleecia: I'm reading that as support for the idea of continuing to move toward each other.

<efelten> So let's figure out how to close the remaining gap.

dwainberg: As a distant observer, the group has gotten a bit into the weeds. Rather than horsetrade, we should back up and understand the bigger picture and go from there. And we need to consider the possible unintended consequences.

<Zakim> npdoty, you wanted to ask about adoption timing

<Chris_IAB> to clarify the comment that was made after my statement, IAB was not listed as an author on Shane's proposal, but I personally support it

npdoty: Want to follow up on Chris_IAB's point. And the question of how fast adoption will happen. We need to consider adoption rate, and how fast we want to move. Do we want to phase some parts in?

aleecia: Maybe you were suggesting that a phased proposal is the way to go. Phase 1 then Phase 2, etc if they would faciliate compromise.

tl: Don't want phased proposal. If folks lag on implementation we have option options as browser (duh-duh-DUH)

<Chris_IAB> I like the "let's get out of the weeds and see the forrest statement"-- Shane's proposal will likely have 90+% industry adoption in no time. Are we here to get a "DNT win" or are we here to keep hashing something out until we ultimately kill it?

jmayer: I want to second the phasing point. To the extent that comlanies are going to have to implement new tech, totally reasonable to giving cos some grace period to implement if that narrows the gap.

aleecia: This was discussed on a call and industry didn't really want that approach.

<Chris_IAB> see the forest guys...

erikn: What should we do next? We should focus on text. Talking in abstract not terribly helpful.

<justin_> +1 to erikn

<jmayer> I've had more conversations with ad companies than I can remember; some really wanted phase-in, others didn't. Mixed response.

erikn: Going through the points will help move us toward the center.

rvaneijk: The proposal I have is to focus on added value of DNT. The WileyS proposal just reflects a lot of what the DAA has already done. Starting at Do Not Target doesn't really focus on the added value of Do Not Track.
... We need something extra from this process, not just existing self-reg.

hwest: On phase in, phase out, we can't decide that until we know what spec means.

WileyS: I see the counterproposal from EFF as aspirational. I don't disagree with their aims, but will require significant cost and time to get there. We should agree on what we can do now NOW and then work on technical, standardized approach to dealing with the other aspirations in EFF/Stanford/Moz proposal.
... We should immediately begin working on those issues, and one day they could become the DNT standard. But technology isn't there yet.

<hwest> I don't think that's reflective of industry

aleecia: So you see your proposal as Phase 1 and EFF proposal at Phase 2 but with no time limit?

<hwest> In terms of phase one/two and the two proposals

<npdoty> WileyS: we could, suggesting a second round of this Working Group

<npdoty> <laughter> on "job security"

<BerinSzoka> I'd say this is more like Job than a job

WileyS: Yes, there's no planned Phase 2 for this group, but we should have one. Job security <laughter except from aleecia>

aleecia: We could have two standards that come out of this group.

WileyS: I strongly disagree with THAT. Would be too confusing.

aleecia: How is that not what you just said?

WileyS: It's not responsible to put out the EFF proposal as a standard right now.
... Too many blanks to be filled in at a future data. Can't reach those aspirational goals today. Two standards might be worse than none.
... And eventually that proposal could supplant the interim (?) WileyS proposal?

aleecia: So what you're saying is you like the direction of Jonathan's proposal, but it's not baked yet?

<npdoty> supplant the original DNT, rather than "interim"

WileyS: I don't think it's achievable yet?

npdoty: Could we bridge the proposal with MUST/SHOULD language?

<Zakim> npdoty, you wanted to comment on MUST/SHOULD, or iterations

<justin_> I don't think advocates would be comfortable with that.

<rigo> avk ifette

ifette: SHOULDs are problematic in the spec. SHOULDs may create unreasonable expectations from users and regulators. I'd like a spec with all MUSTs.

<npdoty> I do recognize the concern about SHOULDs, I was only proposing it because maybe it could be an attempt at a middle ground

<npdoty> ... and give people a direction/confidence in a future iteration

rigo: I don't think a version 1 debate will spare us from testing out the pain points of how far industry is willing to go today. Also, big issue of trust --- will industry come back to the room for a rematch?
... But that said, it's a valid option.

<johnsimpson> I agree with Ian. Specs should be musts. Where I suspect we disagree is what the musts should be..

<WileyS> Fair - amend proposal to "MUST" from Industry proposals and "MAY" for advocate proposal

<Chris_IAB> how about we get a balanced v.1 spec out, see if it works, and go from there?

<Chris_IAB> iterative work

<Chris_IAB> seems rather agile, actually

ifette: As far as a version 2, would be better to circle back. My reading of jmayer et al proposal is "We don't want 3Ps to have a record of your browsing activity." But industry approach is: "We charge based on impressions, and that valid business model can be done without violating privacy."
... We need to find a way to charge people while protecting privacy. jmayer may point to papers, but I think more research and testing needs to be done to make sure CPM (etc) model can be done with privacy respected but without rampant click fraud, etc.

aleecia: We could have two last call docs, first the WileyS approach, and second the jmayer proposal that folks will have to get to eventually (?)

<npdoty> ifette: wait for a certain successful deployment of a technique, and only then standardize that as an additional version [am I capturing that right?]

aleecia: that's in line with what you propose, to spend more time on the jmayer proposal but to implement what can be done today TODAY

ifette: I want to make sure that jmayer approach is implementable before we put it in Last Call.
... I can't vote yes on a LC until I know it's implementable. That's my bottom line.

<hwest> Last call should not be fragmented, IMHO

SusanIsrael: I agree with that. We should implement what we can now while commiting to work on the harder options. But it's somewhat unclear, which is why we can't put in a LC document today. But would like to have a commitment to work on another LC later.

<Simon> Speaking from experience (CableLabs has put out alot of succesful specs) any spec will need revision as technology changes. Need to get something out that can be used now.

tl: Let's presume the only thing we're concerned about in 3Ps having total view into browsing activities. If they can do what they want to do without that, great. But if they can't, those are illegitimate business models. (Don't want to bless short-term?)

<npdoty> susanisrael, I'm curious how we could phrase those commitments

jmayer: This may be soundly rejected. But it may be worth it to have a very difficult conversation on PETs. It will be very technical and uncomfortable, but there are some wonderful technical people in this room who can chart a way to move the ball forward.

aleecia: Yeah, we often do that, are we usually disagree. So that gives me pause.

Arvind: The researchers have done all the necessary research to find privacy-protective ways to achieve your business models. But just saying "Hey, we need new research."
... isn't fair.

<npdoty> are there ways to encourage iterations to move forward without waiting for a new standardization effort? could we say "best available and feasible efforts"?

Alan: Not saying that we need new research. Question about whether Google, Yahoo!, etc can implement. But concerned about two standards. If we have two, regulators are going to want to require Version 2 right away.
... Unless we bend over backward to say that Version 2 is not implementable today (which some would object to!) concern with two different standards.

Chris_IAB: Clarifying earlier statement. Want to be clear that we can't boil the ocean. Over the last two years, I've created technical spec with IAB. Any company that subscribes to agile development would say let's put out now what works, test, iterate, and then evolve the spec.
... That's how it works on the industry side, and by and large, everyone has over time adopted v1, v2, v3, etc.
... By boiling the ocean, you stop something from getting to consumers. Getting something workable today is a win for DNT and advocates. We'll find out from v1 if we need to do more.
... If there are complaints, then we start a new working group.

<npdoty> is there a clear way for us to determine exactly how many complaints are necessary to support a new iteration?

jchester2: I appreciate what WileyS and ifette are saying, it just won't work to have a phased-in approach. Regulators and advocates want a reasonable standard TODAY. Industry approach as is is unacceptable. Let's get the proposals closer together and continue to evolve.
... Won't be acceptable to say "let's do an OK approach and then wait ten years and fix later."

<Snarky cross-talk>

<jmayer> Chris_IAB, it's hard to focus on the conversation when you keep interrupting. Could you please add yourself to the queue?

aleecia: Why aren't we just putting the two docs out for vetting? Because both are objectionable to a large swath of folks.
... Has anyone moved from "Can't live with" to "Can live with" on either of these proposals?

<Chris_IAB> jmayer, sorry, I was following your previous examples :)

aleecia: No one seems to have moved.

<npdoty> "easier to live with"

<Chris_IAB> but in any case, I believe the scribe got it right here, so go ahead and read up

aleecia: We are still in the world of pain. If we flip a coin, either way we lose. And we've received feedback from regulators around that world that industry proposal is not sufficient.

<npdoty> I'm also in the category of not being familiar with all the details of latest proposal from Shane

aleecia: And we've had feedback from jmayer standard that current proposal is not implementable.
... So we fifteen minutes. No one has any bright ideas.

<justin_> Why not Zoidberg? (CDT proposal)

<npdoty> justin, maybe we could do a comparison or merge of the CDT proposal with the latest from Shane et al. and Jonathan et al.?

rigo: There are some pain points. The pain points are not as bad as some might have us believe. Seeing the differences in details will help advance us significantly

BerinSzoka: No cost opt-outs don't scale.
... It seems to be that we are all here because we've assumed that we're assuming a certain low opt-in-to-DNT threshold.

aleecia: scolding BerinSzoka for not staying on topic.

hwest: A lot of us have a problem with multiple LC docs. We very much don't want a fragmented approach, and that's what two LCs does.

aleecia: Does anyone really want multiple LC docs? (No one raises hand)

efelten: We only get ONE bite at this apple. When we get a consensus proposals, then all the forces we talked about earlier come into play.
... Echoes erikn's point that we need to focus on text.
... Let's talk through nuts and bolts and stop claiming "everyone want this" and "no one wants that"

<james> +1

<npdoty> efelten: a focus on text

asoltani: Echo idea that merging the proposals is the best way to go given the political pressure.
... Maybe we should have DNT-beta --- you can respect one of two proposals. Let consumers opt for which one they want. We'll then have metrics as to what people want. It's a little bit complicated, and not necessarily the right idea, but could work as a back-up plan

<rigo> +1 to ashkan, W3C can organize joint development around DNT v.2 Beta if this has sufficient support

<WileyS> Wasteful suggestion - doubles implementation overhead

<hwest> Let's focus on moving forward instead of the "what if it doesn't work" ideas

aleecia: And of course, you might see different treatment of users, because users might see firewalls, paywall, etc. So not a survey but test of different implementations.

<justin_> +1 to WileyS on this point!

<rvaneijk> I rather see one DNT than forked versions.

aleecia: This testing assumes that good data would actually change anyone's mind!

<sidstamm> +1 hwest ... phased deployment and versioning adds confusion and implementation overhead

rigo: W3C can organize this testing.

<npdoty> I think Ashkan was talking about not getting behaviorally targeted ads, like "Do Not Target"

ifette: I understand asoltani's basic point. But I don't think that anyone in this group would be willing to offer and support a "Do Not Advertise To" signal and continued to offer free content. Users need to see consequences.

<asoltani> clarification: DNT:0 = unset, DNT:1 = shane's proposal , DNT:2 = eff/mozilla

<asoltani> if many people send DNT:2 but sites only support DNT:1, then we need to revisit

ifette: Key point: Don't see how we can implement jmayer's approach without significant hit to revenue. Until we get to the point that we're comfortable with understanding the economic impact, you won't see implementation.

<npdoty> 'until we actually get to the point where people are confident on the effect (in terms of revenue) they aren't going to implement'

<sidstamm> asoltani, how do users express consent for tracking (as per each proposal)? negative numbers?

ifette: The industry proposal, we understand what we think the impact is going to be. Not knowing the impact is holding back the jmayer proposal?

aleecia: So what do you propose to get industry to get data?

<npdoty> ifette: need to be able to show the impact of a proposal, details on data

ifette: Get a big third party to implement it and publish the results.

<BerinSzoka> Well said, Ian. When I said that "No Cost Opt-Outs Don't Scale," this is precisely what I was talking about: not just the default question but also the question of users making choices that don't reflect real-world tradeoffs inherent in exercising DNT

<asoltani> sid, settings needs to have 4 states. unset, allow tracking, opt-out of targeting, opt-out of collection

ifette: jmayer keeps saying that client-side scales. Google has bought companies who had this business model AND IT DIDN'T SCALE. We've really tried. So this is why I'm skeptical. I understand aleecia's desire to move forward, but we have no data points to say how jmayer model will work.

aleecia: But none of this has seen proven data point that this will work.

<rigo> I think W3C can offer a framework and platform to test out stuff, organize research, help with acquiring funding for advanced development and test things out

<sidstamm> asoltani, thanks

aleecia: we're low on time. If you have a new point, then you can talk.

<susanisrael> +1

<hwest> +1 - this will be an iterative process if it's going to succeed

Alan: Not sure we only have one bite at the apple. We may be able to finesse this to allow iterative approach that satisfies everyone.

<rigo> kind of stable + unstable approach and moving

tlr: Timing is slipping --- need to figure out what to do about charter.

<susanisrael> my +1 was to the idea that this will be an iterative process. That was my point rather than the fact that only one proposal is acceptable. Let's work through text, do what we can agree on, and agree to keep iterating

tlr: Current working assumption is that at some point we'll announce an extension of the charter without a change to the scope of the charter.

<jmayer> Thanks for taking great notes justin!

tlr: If there are changes to the scope that people think are important or desirable, come talk to me.
... Enjoy your lunch.

<BerinSzoka> drinks tonight: Tracktinis for all!

<aleecia> Time to get started again...

User Agents, digging into issues

<npdoty> scribenick: jmayer

aleecia: talking about user agents
... talked before, day before microsoft announcement
... mostly about anti-virus software now
... some language in TPE, not Compliance
... looking at a couple issues

npdoty: new members, here's how to join irc

aleecia: thanks
... help available if you need it
... back to issues
... talking about ISSUE-150
... start there

<aleecia> A given device may have multiple sources of user preferences, for example a browser could have a DNT user setting, plus an add-on or plug-in could have a DNT user setting. One DNT choice must be sent. We do not specify how conflicts are resolved.

aleecia: decision that while there might be conflicting user choices on a device (e.g. browser + plugin/addon), leave it to those sources of preference to resolve
... language pasted in irc
... looking to get consensus, hear dissent

tl: middle part should not be normative

aleecia: move to example section?

tl: ok

aleecia: npdoty is editing in realtime
... proposal: new paragraph with former middle part, example section

dwainberg: doesn't this interact with the defaults discussion?

aleecia: yes, for example, if mozilla doesn't have DNT on by default and a plugin does, they have to reconcile
... could imagine the same by IE
... up to user agents to resolve conflicts
... in other words, it's related to defaults, but a separate discussion

<cross-talk managing queue>

<bryan> Re "One DNT choice must be sent", does that mean any and all Web user agents (any Web-enabled application) must send the same value for a particular default or domain? Multiple UAs/apps in a single device would need system-level support for that. Any device that did not provide such support would be inherently non-compliant. Is that what is intended?

bryan: asking question pasted in irc

aleecia: how about rephrasing, you must not send more than one DNT value per request

bryan: to be clear, we're not saying every user agent / app has to have the same setting

aleecia: right

<dwainberg> Would a program setting DNT outside the UA, e.g. injecting into the http request, be an "intermediary"?

hwest: concerned about a different issue
... but related to defaults
... if this is just about sending only one value per request, ok

aleecia: ok, yep, seemed an easy point of consensus

<erikn> ISSUE-150?

<trackbot> ISSUE-150 -- DNT conflicts from multiple user agents -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/150

ifette: what about identifying who set the preferences?

aleecia: that's ISSUE-143, a separate discussion

ifette: less fine with this if information about attribution isn't there

tl: don't like notion of attribution, adding lots of information to user-agent

aleecia: again, ISSUE-143, another conversation
... group ok with text?


aleecia: moving on to ISSUE-149

<hwest> I think the group will need to confirm that we're ok with that text once we address 143

aleecia: roy added language about on vs. off vs. unset

<hober> ISSUE-149?

<trackbot> ISSUE-149 -- Compliance section for user agents -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/149

aleecia: section 3 in tpe, determining user preference
... comments?

<rigo> scribenick: rigo

<scribe> scribe: rigo

hwest: two choices may not be sufficient. Alternative to unset or only two

AM: minimum of two is currently in the spec

HW: we have an open issue on that. Not fixed yet

AM: show of hands of

Roy: this is what the choice that is offered to the user

MTS: questions: Does not allow for a german user "an" "aus"? and a tool that only send DNT:1
... so even a tool that only sends DNT:1 must be able to be switched off

npdoty: even with the current text that would require at least on and off

jmayer: does that mean that uninstall is sufficient?

<jmayer> Or if the browser offers a "Disable" option, is that enough?

HW: DNT should fully implement the Specification

AM: is it sufficient to remove tool

HW: no

<asoltani> what if the notice is in the privacy policy?

<justin> That's not in the spec yet.

<asoltani> in for example, http://www.google.com/policies/privacy/

<jmayer> I think this conversation is conflating different issues: notice, defaults, choices, ...

adrianba: 1/ lot of discussion about tools and add-ins. user agent has the collective thing that user uses, including all plugins

2/ spec talks about the ua have to offer choices, but offer is not defined (how choices are offered is out of scope).

jmayer: language proposal: instead of offer (user agent has to do something) "a user must be reasonably able to ". Any tool must be able to put the user in one of those states

MTS likes this

<justin> hwest, can you elaborate why we should prescribe that a privacy-protective add-on must be able to send DNT:0? What's the point?

tl: dislike this. If I have my add-on to only should send DNT:1.

<justin> That's totally fine.

<justin> I have no problem with a DNT:0 add-on that doesn't send DNT:1

<justin> If it's installed deceptively, I am comfortable informing the FTC about this add-on.

<tl> justin +1

aleecia: would you be comfortable having an add-on that only makes DNT:0 headers?

tl: yes

<adrianba> If the user can turn off an add-on in their user agent then the user agent (as a whole) offers a way of turning the signal off

<WileyS> Ian made my point (individual vs. collective)

<hwest> justin, it's the DNT0 plugin example - would you be ok with that? What if it's loaded without user interaction?

<justin> hwest, yes I'm fine with a DNT:0 plugin.

ifette: agree with Jonathan (laughter). User must be able to express on off or unset. If we look at individual tool than must be able to express all. If the entire environment (adrianb's point) than should be sufficient

<justin> If it's loaded without user interaction, I look forward to the cy pres award funding my work for the next several years.

erikn: does DNT:0 have to be supported?

AM: what requirements on what you want send, what is the minimum bar we have

<npdoty> can we just delete the whole paragraph? user choice requirement is present above

hober: does a UA have to do 3 options, that is distinct from the UI question of how to present that. People are concerned about limitations on UI to must be able to express 3 states

<BerinSzoka> I just wanted to know how this conversation intersects with negotiations between sites and users

tl: some UA like tor browser -> defaults on high privacy. tor - browser will not offer dnt:0. Should they be non-compliant

<BerinSzoka> might sites offer plugins to turn off DNT:1, for example?

<justin> This seems like a different point.

jmayer: practical impacts 1/ if we set must on DNT:0 every single implementation is non compliant
... 2/ there is a UI implication, you have to have a choice

<erikn> (a choice that can't be a checkbox)

<BerinSzoka> my question simply put: It's important to me that we don't do anything to thwart negotiations between sites and users because, as I said before, no-cost opt-outs don't scale. So my specific question is: Might sites offer plugins to users as an easy way of either turning off DNT:1 OR creating an exception for their site/network as a quid pro quo to gain access to content?

<justin> I don't think anyone is saying that DNT:0 needs to be presented clearly and prominently --- just that it needs to available.

jmayer: 3/ same sementics could be done out of band

<justin> BerinSzoka, plugins aren't how sites will do negotiation. We have separate mechansisms for allowing the negotiation you're discussing (in-band and out-of-band consent).

<justin> BerinSzoka, I mean, they can require a plug-in if they want to, but there are easier ways.

rigo: need for on off unset needed for consent. Also the ecosystem is a bundle with the 3 options

<justin> I would strongly object to saying that DNT:0 must be as prominently offered as DNT:1

ifette: good to have concerns, but requirement is limiting to the point that a user shouldn't be forced to uninstall, symmetry of turning on and off being equally painful or easy

brooks: AVG and so on: none of those are UAs, so should we accommodate. "Able to do HTTP request".

AM: how does that affect

<npdoty> Ian, is this what you're talking about?

<npdoty> A user agent MUST make it equally easy to configure their agent to each of a minimum of {two|three} choices for a Do Not Track preference.

brooks: AVG is just changing an entry in the registry, not issuing HTTP request

aleecia: different issue that we take differently?

brooks: it is bundled

aleecia: re-defining user agent is not next 15 min

rigo: tie it to ISSUE-151 because it also requires exception mechanism to be present

<npdoty> ISSUE: what are the implications on software that changes requests but does not necessarily initiate them?

<trackbot> Created ISSUE-153 - What are the implications on software that changes requests but does not necessarily initiate them? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/153/edit .

AM: tools that change settings, but do not issue HTTP requests

adrianba: I disagree that symmetry of UI is necessary. I think how options are offered to a user is up to the user agent. Products should be free to compete on this basis.

dwainberg: are we in issue freeze?

aleecia: only at last call
... 1/ on off unset

2/ implicit on off by uninstall

3/ on off unset per entire system

aleecia: started with 2 options, nobody supported that

so opposition between one option and three options

<npdoty> adrianba, was your point that we could leave this paragraph out and leave it up to the UA?

4/ need on and off and unset and same level of effort to set on, off or unset

<justin> ifette, So on the symmetry point, you think we should prescribe that upon install (or in settings), everyone would need to offer equally weighted options for "do you want to tell websites not to track me" and "alternatively, do you want to tell websites they can track you all the time"? We want to put that in the spec?

Chris_IAB: question to tl: What exactly is the problem with disabling the feature. What is the rationale not being able to set off

tl: we should not increase complexity of simple tools
... browser add on will just turn on DNT:1

<bryan> what is being referred to as "the whole ecosystem"? if by this it's meant (as Rigo suggested) that a system-level setting MUST be provided for all user agents on the device, that is *possible* but is unlikely to be *enforceable* given the diversity of devices, UA types, and Internet software stacks.

<aleecia> queue closed

<npdoty> does "Keep My Opt Outs" satisfy the principle of user choice?

<BerinSzoka> but here's my question: What happens when a user running the DNT:1 plugin tries to negotiate with a site to get access to content? Will the user have to remove that plugin on his own before getting access?

<BerinSzoka> if so, won't that frustrate negotiation?

<hwest> Nick, no, Keep My Opt Outs is a blunt tool - my understanding of this working group was to have a more effective, nuanced tool rather than a blunt object a la existing tools

<justin> BerizSzoka, no

<BerinSzoka> I ask in ignorance

<BerinSzoka> how would this work?

<BerinSzoka> would the exception negotiated by the site simply supersede the general preference set by the plugin?

<justin> BerinSzoka, The industry proposal requires that UAs need to be able to handle exceptions.

<BerinSzoka> ok, so to respond to Tom: the plugin wouldn't "just" set DNT:1; it would also have to allow exceptions

aleecia: bryan wants to have a setting per user agent, not per device

<BerinSzoka> right?

ifette: should not be limited to DNT:1 tools.

<tl> BerinSzoka: Yes. Add-ons can break things. If I installed an add-on that disables cookies, that would likewise break things. I don't think sites should be able to ignore preferences that come from simple tools.

aleecia: 1/ user agent must be able to do one choice

<justin> BerinSzoka, I think tl's assumption is that the browser will be able to handle the exceptions. I do not believe that the advocate proposal requires dealing with exceptions.

aleecia: 2/ three choices on, off, unset

<tl> Also, I am not in favor of the industry proposal.

aleecia: 3/ 3 choices with equal effort of setting of all

<BerinSzoka> so, Tom, just to make sure I understand clearly: you envision plugins that would make negotiation impossible because they couldn't process exceptions? the user's only recourse would be to uninstall the plugin that "breaks things?"

tl: only signal on the wire
... should not specify user must configure. Signal means the user has made a choice if you see the signal
... nothing represents my opinion, not the first

<bryan> +1 to Tom's suggestion: we should talk about expressions over the wire and not how they have to be manageable in UAs

tl: would delete the sentence. Must reflect the users choice ... and no sentence on offer choice

dwainberg: where do we make that choice? OS, UA, ecosystems

aleecia: we talked about plugins, user agents
... something that can change the value of an HTTP request is one issue

dwainberg: want to get that first

aleecia: will re-open later

<susanisrael> sorry if this is resolved, but to the point david is making, is it possible that different user agents could be treated differently? and have different requirements?

jmayer: question: there me be a substantive difference: around when a browser claims compliance with the spec, we want at minimum to express DNT:1
... difference is that it would be installed and does just that

<hwest> I think this discussion is whether or not we want to have blunt tools or fleshed out tools

aleecia: what is threshold for sufficiency...

<schunter> ian: want to speak?

<bryan> I think the inability to nail down what a user agent is (e.g. in terms of the diversity of ways in which Web-enabled clients can be built and deployed), indicates that the best approach is to remain silent on this UA configuration point.

aleecia: straw poll

for silence: 14 hands

for three choices: 23

<tlr> for rough magnitude, we're fine

for one choice: 14

aleecia: if you can't live with one choice

7 people can not live with silence

16 can not live with 3 choice

aleecia: fairly even split

<justin> And that's not even accounting for required symmetry!

<BerinSzoka> "Do you prefer 2 over 3?" This is like having an argument with your ophthalmologist! "Better 2, or better 3?

<npdoty> ?

<npdoty> ACTION: aleecia to issue a call for objections on symmetry/minimum number of choices [recorded in http://www.w3.org/2012/06/21-dnt-minutes.html#action01]

<trackbot> Created ACTION-214 - Issue a call for objections on symmetry/minimum number of choices [on Aleecia McDonald - due 2012-06-27].

Resolution: MTS and Aleecia will issue a call for objections


Points of agreement, "combo draft" review

aleecia: We had 8 page table and had an incredible amount of agreement

<ifette> ScribeNick: ifette

Aleecia: Back in DC we had lots of tables where people had a lot of agreement, and a few disagreements
... we were going to write this up, Aleecia ended up doing this
... would like to work through this as much as possible, do some live editing

<npdoty> http://w3.org/2011/tracking-protection/drafts/combo-draft.html

Aleecia: and get pieces we appeared to be near consensus to actual consensus
... this "should" be easy
... going to skip to Section 2, information practices for all parties
... going to go through this, please scream/q+ if you want to speak against something
... additional voluntary measures (reads)
... reads 2.2 user permission and consent

<susanisrael> i would like to return to some of these definitions at some point as i believe they are not as precise as intended.

hwest: how granular do you want to get

aleecia: want this to be the language in spec

hwest: well then
... first sentence, consensus was closer to "a party is not bound by these requirements" as opposed to "a party may now do these things"

aleecia: ok

hwest: an out of band consent for option b (just say "an out of band consent")
... we need to be clear/consistent around "consent" vs "choice mechanism"

aleecia: "choice mechanism" will probably cause us less problems

hwest: a party is not bound by these guidelines if a user grants an exception to that party/parties

tl: disagree, out of band consent may not be "please ignore my dnt signal"

hwest: fine with language "as granted by the user"

aleecia: please, IRC
... ya'll (hwest+tl) work on that

rigo: assumes permission and consent, out of band, we have two

<hwest> "A party is not bound by these requirements and guidelines to the extent that a user grants an exception to that party or parties"

rigo: for dnt:0 we have in-band consent

<hwest> tl, does that work for you?

aleecia: you're saying we have a and b but there should also be c

<tl> What's the URI of the doc that npd is editing?

aleecia: i understand
... (third option for you receive dnt:0 not by an exception but because the UA is sending dnt 0)

<justin> tl, http://www.w3.org/2011/tracking-protection/drafts/combo-draft.html

aleecia: thx
... think jmayer next

jmayer: since we're discussing language, don't intend to substantively change meaning but instead clarify
... sites may override dnt preference if they receive explicit informed consnet
... seems contradictory
... propose party may engage in info practices otherwise prohibited by this specification if a) b) c)

npdoty: can I combine with heather's sentence?

aleecia: same idea

<jmayer> Here's what I just read: "A party MAY engage in information practices otherwise prohibited by this recommendation..."

johnsimpson: don't understand MUST vs SHOULD here
... when seeking an exemption, sites MUST communicate these requests clearly

fielding: MUST is a hard requirement, won't occur successfully without this
... SHOULD is MUST unless you have a good reason not to
... read RFC2119


scribe: in SHOULD case there may be good exceptions but you don't know them a priori, for MUST you have to list the exceptions apriori

<tl> Everyone should read RFC2119

<tlr> +1 re RFC 2119

<tlr> http://www.ietf.org/rfc/rfc2119.txt

npdoty: reads

<tl> hwest, how about: When a user provides a party or parties with an exception to one or all of these requirements and guidelines, that exception overrides their DNT signal.

schunter: should be more general, through other means

aleecia: oob consent handled in other doc

<justin> As I have noted before, approval of the language around consent for UGEs needs to be dependent upon approval of the language around consent for UAs to set DNT:1 in the first place. The point is worth noting, but I don't want to interrupt the convo . . .

rigo: Matthias says this section doesn't apply, but we then don't get to meaning of dnt0
... may be tweaking necessary
... in another section we may want to define what dnt0 menas
... have to make sure this section doesn't contradict the other one

aleecia: open issue

jmayer: party is not bound by requirements in this section - presumably there are things not just in this section that applies
... anyhow "this section" seems ambiguous
... believe intent is anything prohibited in the doc is now allowed
... haven't discussed level of specificity

aleecia: section -> document
... ?

jmayer: specificity
... "a party is not bound by"
... they are bound, just not required to do so
... document still has force, they just are not required to do certain things

aleecia: text?

<jmayer> resend: "A party MAY engage in information practices otherwise prohibited by this recommendation ..."

ChrisPedigoOPA: section "MUST comply with and align with consumer protection laws..." is problematic

<hwest> jmayer, that's the direction I was going for too, that looks fine

ChrisPedigoOPA: its assumed you will comply with the law

<robsherman> "applicable law"?

ChrisPedigoOPA: when you say operate, rigo can correct but operate is a dicey term in the EU

<efelten> +1 robsherman

aleecia: debated to death around comply with law
... not attempting to get in jurisdiction
... only looking at normative sections
... close on this

<jmayer> The language now only provides exception from "...for All Parties"

<jmayer> Should be broader, right?

aleecia: reads "a party may receive conflciting signals, specific overrides general, ..."

tl: stuff about what should go in the status resource should go in the TPE

aleecia: which sentence

tl: if a party chooses to track based upon... must indicate ... supply a link

aleecia: if a party chooses to track based on prior consent, their response must be as defiend in the TPE etc.

<tlr> +1, don't put normative language about protocol into this spec.

aleecia: just point to the TPE, take out the middle sentence

jmayer: might be two separate issues
... prior consent in mode of you give consent at some point, come back
... some might interpret as "prior consent from before you even turn on DNT"
... and even after you turn on DNT subsequently
... not sure if we have agreement there
... suggest reframe from prior consent to "consent when DNT is on"

aleecia: would add a note here, not to the point of talking about decisions prior to DNT being on
... more complex
... we not spend a whole lot of time here now, note that it's open issue
... this is issue xyz still to be addressed
... final statement in section, oob choice mechanism must satisfy following...

dwainberg: party can get permission to do whatever they want, up to that party and regulators etc to determine if they got appropriate permission

aleecia: general principle that the more granular choice is the one that controls, not the more global one

schunter: if i have a well known uri which says my whole site doesnt do any tracking, and then i have headers that conflict, headers are more specific and take precedence

dwainberg: confusion between technical specificity/generality vs

rigo: the technology actually conveys the semantics
... specific statement by the user

<jmayer> npdoty, are you still workshopping the "A party is not bound..." sentence?

rigo: equally applies that a specific always overrides general

<susanisrael> request for clarification re: prior consent. We tabled this issue, rather than dismissing the possibility of prior consent, correct?

<jmayer> I think both hwest and I were looking for clarifications there.

<npdoty> jmayer, do you have alternatives?

dwainberg: if a party puts up a big consent thing "we want you to consent to do everything"
... that overrides any little granular settings

rigo: other way round

<jmayer> resend x2: "A party MAY engage in information practices otherwise prohibited by this recommendation ...""

aleecia: you're talking about which types of things you might consnet to rather than which parties

<npdoty> "DNT: 1" does not tell you the scope of my permission, does it?

aleecia: written in a way that this might not be clear, that's important

<jmayer> maybe "engage in" -> "conduct"

<npdoty> jmayer, hwest, please duke that out and get back to me

aleecia: need it to be understandable
... specifics about specific parties

<hwest> I actually have a comment on the next piece :)

aleecia: if you are sending a DNT signal to the entire world, that is global, you can have something specific about a given party

<jmayer> hwest, are you good with that language?

<hwest> But can duke out this piece too

aleecia: that thing specific to the given party trumps the generalized signal

npdoty: fact you received dnt1 doesn't imply it's general to whole world

tl: only applies to this network interaction

aleecia: dont have to worry about specific vs general, just say OOB trumps DNT signal

schunter: principle is ok but need to spell out instances
... OOB trumps signal, response header trumps well known URI, etc

<jmayer> hwest, [14:31] <hwest> jmayer, that's the direction I was going for too, that looks fine

schunter: spell it out

<hwest> Yes, that still works, jmayer

aleecia: try for that now

<jmayer> Ok. Nick, please swap it in.

<hwest> But I like the out of band consent trumps general anything language

<jmayer> That seems to be the consensus view.

tl: if i have a bunch of settings on a site, that i dont use regularly but they have widgets all over, nd i get a new browser and i turn on dnt1
... but i haven't gone back to that site to modify the preferences
... think its ok because im setting dnt1

hwest: comment on next piece

susanisrael: quick clarification, earlier we dismissed idea of prior consent
... not asking to talk about now
... but think we tabled issue of prior consent
... that might remain valid despite a later setting
... as opposed to dismissing it
... clarify here

<jmayer> message was that heather agreed

tl: question is if i've gone and opted into xyz or only opted into a couple of things, THEN i turn on dnt1
... and they have added more features since then
... their state about me is incomplete
... would they then assume that the DNT applies only to the things that i've already picked, vs newly added things

<JC> Too complex

tl: or am I opted into things that werent previously options

<Zakim> ifette, you wanted to say if you didnt go back to that site you didn't go log into that site

ifette: you are talking about prior consent, i will hold my comments until then

npdoty: OOB may override an expressed DNT signal, suggesting as replacement for specific overrides general

hwest: can we enumerate "an oob may override a DNT:1 and the other option we put in"

tl: think perfect

fielding: confused
... OOB overrides DNT signal period
... it overrides

<rigo> +1 to Roy

fielding: feel MAY is problematic

aleecia: also feel MAY problematic
... anyone want to fight for MAY?

jmayer: segue
... as we did before, get rid of "override" and say "you MAY do things inconsistent with elsewhere"

hwest: "or you are no longer bound by this signal"
... instead of re-granting permission, say "the requirements in this spec no longer apply" written nicely

jmayer: same fix from above

hwest: similar, yes

fielding: opposite of what i just said
... reason to say OOB overrides DNT is so that a user who has set DNT:1 globally
... has a means of still consenting to the one website they have an interest in having tracking enabled
... if you make taht optional, user can't use OOB to do thayt

jmayer: consent is not "and you must track me down"

tlr: guess wondering where we are
... editors may be in a position to rpoduce a strawman

aleecia: trying to do that

tlr: at a point where discussion is editorial
... let editors do another pass for later review

aleecia: basically happy with this, modulo roy's point
... if we move forward, hwest in queue for next section

hwest: generally when we talk about policy, we dont talk about an ordinary user, we talk about a reasonable user
... is that change OK?

aleecia: fine

hwest: anything else on OOB?

aleecia: great, reasonable user must understand
... skipping next non-normative section
... moving on

<hwest> I do not believe that we had consensus on 2.3 Unidentifiable Data

aleecia: skipped over unidentifiable as we haven't yet gotten consensus here
... will talk about later
... moving to additional requirements based on party status
... pulled out to have informatin practices for first party
... at bottom
... think we can agree on "1st party must not share with 3rd party that 3rd party is prohibited from collecting itself"
... reads

ChrisPedigoOPA: can also cover offline data

<jmayer> While I would prefer some bright-line rules around out-of-band consent, like the EFF/Mozilla/Stanford proposal, I'm willing to compromise on the "reasonable user" approach.

tl: disagree with "if it covers offline that's a problem"

ChrisPedigoOPA: host of case law about offline data
... going back 200 years, publishers have collected information off line about their customers, much case law here, this is out of scope

aleecia: great, next?

<james> out of scope

rigo: have trouble with "receive"
... creates a lot of issues we shouldnt have, what we mean here is collect not receive

aleecia: receive -> collect

robsherman: may be overreading, in which case need clarity, but DNT signal is supposed to be scoped to an interaction, here 1st party must not receive/collect data about a user
... broader than "an http request"
... other users e.g. can post info about you on facebook
... "I'm with Aleecia at MSFT"
... that's not intended to be in scope of this document, e.g. "Nick can't post about her"
... this sentence might imply that
... in my example npdoty is another party. FB cannot receive info from npdoty if aleecia has dnt on

WileyS: our definition of third party excludes users

robsherman: don't think this is intended company is never intended to receive info, e.g. billing relationship

aleecia: billing is outsourcing
... if you can give me problematic example please do

amyc: general observation, don't think we've defined "share" etc

<robsherman> Can someone point me to the definition of "outsource relationship"?

amyc: if we haven't defined key words, we may place obligations on publishers to montior all third parties

<susanisrael> +1 to need to clarify definitions

amyc: look at each verb we use

dwainberg: how do first parties know what third parties are prohibited from receiving

aleecia: from the spec

dwainberg: any third party may have consent
... api or OOB
... first party needs to know

tl: ask third party

<npdoty> A <a>party</a> <dfn title="share">shares</dfn> data if the party enables another party to collect the data.

dwainberg: shouldkn't it be up to third party
... if third party gets info they dont have consent to receive, their job to comply witht he spec

aleecia: coming up on 15h
... 30m break
... piece that came out that we have not taken on as a group is, so far we've been saying "no sharing in and out"
... hearing from chris that's problematic
... barely skimmed the surface
... should capture as a new issue
... more time on this

<jmayer> I thought we had agreement on this principle a long time ago.

ChrisPedigoOPA: have agreed first parties won't share data with third parties

<jmayer> We're technology agnostic -- first parties can't give third parties data they can't collect themselves.

ChrisPedigoOPA: question about bringing in other data to a first party still up for debate
... problem with offline data being covered under this standard
... requiring that a first party can't get data from a third party isn't an issue here
... third parties can't collect the data anyways except for specific conditions

aleecia: not sure if that is the case

ISSUE: Are First parties allowed to use data (either offline or online) from third parties

<trackbot> Created ISSUE-154 - Are First parties allowed to use data (either offline or online) from third parties ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/154/edit .

Brooks: ... to go back to definition of issue
... sharing is a defined term and we're almost contradicting it here
... "cause to receive"
... that is the problem
... if i'm cnn and i put a mazda ad on my site
... brooks drives a mazda, has a mazda cookie, have caused mazda to receive info it shouldnt have
... i dont know what the third party has/knows/doesn't have/know

susanisrael: want to understand the purpose, stepping back from language, to say "we dont want to create a loophole where someone turns on DNT to prevent third parties from collecting data and first parties facilitiate this by overriding DNT and using their privilege to feed that data to third parties"
... if i understand that, then whenever we return,  that's the core purpose of this? may help us get to the righ tlanguage

aleecia: may not have agreement on even what that core purpose is
... break, 3:30 return

<susanisrael> by "this" i meant this sentence not the whole spec

<susanisrael> was seeking clarification as a basis for addressing the language

Presentation of industry proposal

<npdoty> scribenick: amyc

Aleecia: starting session on proposal
... asking for scribe for final session, will be Nick

<npdoty> (npdoty to scribe final session)

Aleecia: Shane will present his proposal

Shane: not just my proposal, cosigned by multiple parties
... objective in intro, goal is DNT that will advance user choice beyond existing options and be implemented by significant portion of ecosystem
... part 1 is parties
... similar to advocate proposal, affiliates with easy discoverability
... commonly owned and controlled, similar to DAA
... affiliate list link to be provided within one click
... of page
... meaningful interaction, common ground here too

<npdoty> rigo, how about machine readable as one option? or a SHOULD?

Shane: owner or operator of site, or widget interaction
... service providers is new text, although discussed before
... also considered first party if performing services on behalf of first party

<npdoty> what does it mean to include permitted uses if you're a first party, which has all uses?

Shane: third party is everyone other than first, service provider or user
... cobranding may make 2 or more first parties
... Rules that first party can go about business as normal, can't pass data to 3rd parties
... data must be segregated, third party must not aggregate together data from first party sites
... no profiling, open to defining profile definition to be proposed
... third party cannot leverage profile to change user experience, when DNT is on
... party (first or third) cannot share data with another party when DNT:1, unless service provider

<npdoty> does that get us in to the same question about combining offline data?

Shane: outside DNT context, but wanted to note that data collected or received may be combined with first party data, DNT does not cover offline data

TL: if I am a first party, I can look at generally available data to combine with my own data?

Shane: Yes, because public info or gathered with prior consent so OK to combine

<npdoty> but 3rd parties can't combine your data with offline data

Shane: party may choose to purge, but not required to do so, just can't use
... permitted uses apply, user granted exceptions override
... Permitted uses more limited, express and detailed

<npdoty> doesn't freq capping alter the user's online experience?

Shane: For all uses, the following will apply, includes no profiling, no altering of experience

Efelten: what is profiling?

Shane: assembly of data across multiple sites gathered to predict user interest

<npdoty> wileys: profiling 'assembling data about a user across multiple sites and then using it to alter a user's experience'

efelten: processing or gathering?

Shane: making assessments based on data
... will work on succint definition
... if you do not have collection purpose for specific permitted use, then colleciton is not permitted

<npdoty> wileys: if you don't have a specific permitted use, then collection is prohibited

jeffchester: is this first party or third party

wileys: this is third party
... rules mostly apply to third parties

<Zakim> rigo, you wanted to say that we should have the list in a machine readable format as defined by TPE

wileys: to claim permitted use, you must provide retention period(s)
... reasonable technical and org safeguards
... can suggest that more is better
... public purpose, such as emergency protection and IP, is covered

sean: wanted to clarify response to Jeff?

wileys: allow first party use within first party context ok, third party use of data outside of first party experience is not OK
... but could use third party data to alter first party experience

jeffchester: concerned about tracking

Rigo: but first party can write this back into third party profile?

JC: asks Rigo to clarify?

wileys: may need visuals
... security permitted use, includes fraud, detection and defense
... don't want to have DNT used for antisecurity purposes
... next area is financial purpose, billing and audit compliance, requires uniqueness for user interactions

<efelten> "This is necessary for ..." should be non-normative, right?

wileys: need to retain proof or receipt for what was billed for
... list of billing scenarios

jeffchester: what is time limitation? IAB writes standard contracts for timing. what are best practices for timing for billing and frequency caps?

wileys: also have legal obligations for billing, state and securities and contractual
... don't know exact timeframe

jeffchester: what is typical timeframe?

wileys: think three years or more, will check with IAB

<npdoty> does Financial Purposes include whether a person of a particular historical profile has seen this ad?

wileys: frequency capping, simply a counter, may be used across multiple dimensions of ad experience

ifette: can frequency cap be shared with other third parties?

wileys: uncontemplated in this proposal

Rigo: how identifiable?

wileys: unique cookie, anonymous

<npdoty> pseudonymous?

Rigo: pseudonymous, and attached to page on which ad was seen, isn't this profile?

<npdoty> frequency capping does alter the user's experience based on their browsing history?

wileys: expressly call this out as permitted use, wanted to be clear

jeffchester: how does creative versioning or sequencing affect?

wileys: this is form of OBA, would cease based on DNT

<aleecia> of note: frequency capping data can be used to uniquely identify users, as per recent research

<npdoty> wileys: "creative versioning" and "sequencing" isn't part of this permitted use

<justin> I thought we had reached agreement in Brussels that sequencing was going to be considered tracking.

<justin> And it sounds like we're still in agreement.

wileys: debugging, scoped for repairing site errors
... replicate user experience to fix site

Roy: with user consent?

wileys: not intended to require user consent
... but in 1 to 1 interaction, may be consent based on user complaint
... last is aggregate reporting using unlinkable data
... outside scope of DNT
... is a time period to collect data before aggregating
... related to grace period discussion
... some examples of aggregate reporting
... went from 8 to 5, and 5th is out of scope

TL: any prohibited collection?

<npdoty> does someone have a diff on the 8 vs. the 5? would that help anyone?

wileys: if no permitted use, then collection prohibited

<justin> Combining multiple permitted uses into a newly named permitted use is not a reduction in permitted uses.

TL: wants to see differential between currently collected data and what would be permitted here

jeffchester: does retargeting or modeling apply to market research?

wileys: not profiling or targeting to individual
... can explain more offline, modeling is different than market research

JohnSimpson: third party could track on one first party site, as long as segregated

<tl> WileyS: [responding to tl] This is mostly about use, not collection.

JohnSimpson: but if site has 60 affiliates, a third party could track across all of that

wileys: a service provider, because the 3rd party could only provide back to first party

<npdoty> to follow up on that, users will continue to see behaviorally targeted ads, provided by a 3rd party, just based on your history on that site and affiliate site?

brooks: question about fraud

efelten: limits on retention?

wileys: must disclose

efelten: could keep for 100 years?

wileys: yes, but will face scrutiny of regulators

johnsimpson: could an ad network be a service provider?

wileys: depends on business model, could provide this service as service provider if segregate data, limit view only to that first party

Rigo: do you have independent rights?

wileys: not as service provider

<scribe> ... new area of explicit user choice

UNKNOWN_SPEAKER: will skip non normative text
... heard input from industry and browser vendors
... reading nonnormative text

TL: when a party does not comply with DNT signal from uA because they think not compliant, are they complying with DNT signal?

wileys: lets go through rule set
... explicit and informed consent
... must also have link and explanatory text
... any UA claiming compliance must have exceptions
... server may respond that UA is noncompliant if they believe noncompliant
... server must relay this info to user
... servers must defend why they reach decision
... but can't reject all DNT signals as noncompliant and still claim compliant as a server

jmayer: want to understand scope of product improvement permitted uses
... and market research

wileys: now saying that can use aggregate data, not individual data

jmayer: goal is what?

wileys: you can use aggregate data for multiple uses

jmayer: can collect individual data to aggregate data
... is there a time limit as to when aggregation must occur?

tl: in 4(c), if I only get requests from IE, but no other browser, am I compliant?

wileys: not realistic question

tl: what if you only think one obscure browser is compliant, and everyone else is not, what happens?

wileys: if server expresses what they are doing, OK
... appropriately responding to what you believe to be invalid UA

Thomas: for error response, have you considered granularity request
... per request, rather than per software

wileys: think you are making distinction between protocol discussion and compliance discussion [not sure I got this]

npdoty: does choice have to be separate as well as explicit and informed?

wileys: open on this point personally

aleecia: let's go quickly through rest of section

<justin> "Separate" for UGEs was rejected in DC, FWIW.

wileys: unlinkable outside of scope, included definition

<npdoty> this sounds like the FTC report suggestion on unlinkability (in terms of downstream contracts)

Roy: many data sets are unlinkable by nature and do not need to be de identified; add "or"

aleecia: what suggestions do you have for Shane?

schunter: what is purpose of UA section? site can decide how to service user

wileys: this would be the same as interpreting as DNT1, and I disagree with that. User should be offered opportunity to have another browser

rvaneijk: AdChoices has more transparency, added value in closing section
... did you think about road to compliance? this is DAA plus proposal.
... EU legal compliance

wileys: don't want to have eprivacy debate here. will be adding proportionality text
... notes that implementing regs and interpretation still developing. Could use technical infrastructure.

<Zakim> rigo, you wanted to talk about list of affiliates

rvaneijk: extra homework very important

rigo: on affiliates, must be one click away on each page to affiliate page

<aleecia> we can do one more question after Jeff

<aleecia> Then close the queue

rigo: can't this be machine readable?

<aleecia> Last question to Adrian, then

wileys: already in TPE spec, has optional location for domain list, now this is human readable approach
... must have human readable, machine readable is optional

<aleecia> MeMe, I'll ask you to take your question to Shane on break

Rigo: hard retention periods necessary, especially if number of years

<npdoty> +1 on must have human readable discoverability on affiliates, may have machine readable option

<aleecia> (sending results to IRC would be great)

<aleecia> sorry

Rigo: bargaining position different

<meme> no worries aleecia

justin: if browser puts link and prechecked link on first page, is that express informed consent and who decides?

<aleecia> queue is closed; Jonathan please be ready to walk through your proposal at the end

wileys: each server must decide, and defend that decision

justin: should have a site that lists of software they don't like?
... fractures DNT experience
... if someone sending fraudulent signal, then legal action appropriate, not fracturing DNT

<npdoty> justin: why not go after, take a cause of action, against a vendor who turns on DNT:1 without the user's permission

<rvaneijk> For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html

<aleecia> MeMe, perhaps add your question on IRC now if you'd like?

wileys: want mass implementation of standard, need balance, already have large number of third partis that they would not implement DNT with that standard

justin: why not sue Microsoft

<tlr> aleecia: stop it, both!

<aleecia> Roy, we've closed the queue after Adrian

<aleecia> We have much more to discuss, I know, but need to move to the final session of the day.

jeffchester: interested in following up, rob has identified critical question about structuring permitted uses

<rvaneijk> ... without the reservation 'where appropriate'.

<aleecia> You might put your question in IRC, and please find Shane on break

<aleecia> thanks / sorry

rvaneijk: put up link in IRC
... how to accomplish goal in different ways that could be less intrusive, balance against user privacy

<meme> Section F in definitions should except out Service Providers I believe

adrianba: proposal says that UA must relay server responses to users to ensure transparency, what if there are dozen 3rd parties on single page

<dwainberg> I can't wait to see a bunch of long tail bloggers sue MS.

<dwainberg> It will make a great movie.

adrianba: understand that UI out of scope, how would that work?

<tlr> can we please stop discussion about who might sue whom?

<tlr> that's not a useful way to get this discussion to *any* reasonable place.

<rvaneijk> For the minutes: Shane stated that the current proposal will be updated on proportionality/subsidiarity for the operational uses without the reservation 'where appropriate'.: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0566.html

<tlr> Thanks.

wileys: so many innovative user interfaces, perhaps iconic representation of DNT compliance

<justin> tlr, I am looking for an alternative to every single third party making unilateral determinations of what is compliant.

aleecia: thanks, we will spend more time reviewing

<npdoty> adrianba, is your suggestion that the user agent MAY relay the server's response, not MUST ?

<justin> tlr, I don't see why liability risk doesn't solve the problem.

<tlr> justin, that's fine. Say "there's a legal environment for that". Don't say "you could sue $COMPANY" while filling in a real name.

<justin> tlr, My apologies.

<adrianba> npdoty, I'm okay if a UA wants to display something - I don't think the spec needs to say that - I disagree with a MUST

<npdoty> scribenick: npdoty

Proposal from Jonathan and advocates

jmayer: with pde at EFF and tl at Mozilla
... huge thank you to everyone who talked to us, reflects loads of conversations with anyone we could get our hands on

<Chapell> Justin - any suit of the magnitude you are suggesting would (among other things) stall the implementation of DNT for years

jmayer: including people who really didn't agree
... on github under my account, if you want to look at details

<Chapell> my apologies for making that point more emotionally than I'd like - as its not productive

jmayer: but for now want to look at high level direction
... motivate, what we tried to: what seemed to us like a really fair compromise

<tl> Proposal Github: https://github.com/jonathanmayer/dnt-compromise

jmayer: looked at advocates, publishers, advertisers, social networks, adequately balanced all interests

<rvaneijk> http://jonathanmayer.github.com/dnt-compromise/compromise-proposal.html

<justin> Chapell, I am not recommending such a suit. I had just posited several times in the mailing list whether making the standard more clear on requiring consent would discourage browsers from sending without consent.

jmayer: so no one will say this is what I wanted, but hoping that it might be in the direction of what we might live with
... 1) parties


jmayer: in DC we proposed a definition based on user expectations, here's an example based on Microsoft web sites

<fielding> My comments are at http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0462.html

jmayer: for user expectations you'd have to look at a number of factors including domain names, branding, consumer awareness

JC: does the word "Microsoft" appear in the footer of every one of those pages?

jmayer: there may be, and I think given the logos and user understanding, these would all be the same party
... now the test is corporate affiliation
... if they're all under a single corporate umbrella, then you're done
... although we don't prefer this outcome as individuals, we think as a compromise it's a good direction given a lot of pushback in this direction
... distinction between Passive and Active
... Passive is the stuff that is sent just by virtue of having a communication (ip address, user agent, referer, etc.)

seanharvey: what do you mean by "supercookie"?

jmayer: any stateful technology in a browser

seanharvey: some alternate local storage mechanism (html5 localStorage, LSOs)

WileyS: what do you mean by "fingerprinting"? it seems like the Passive elements on your list accumulated over time would be fingerprinting

tl: active fingerprinting would be querying lists, an active step (like fonts installed available to Flash)... the best fingerprints (without sticking an identifier on the user) include active steps

WileyS: maybe you should define or make a distinction between different types of fingerprinting

jmayer: happy to have that discussion, but think there are certainly some bright lines for what is "Active"

<WileyS> Note to AdTruth - you've now been but in the same bucket as anyone who uses cookies. :-)

jmayer: passive information can be collected without any limit, kept in the near term with no limit but must be unlinkable in the long term
... but for active collection, you must use something unlinkable, something low-entropy

<amyc> long term is 2 weeks+?

ifette: does this apply both to 1st and 3rd?

jmayer: just 3rd parties.

sharvey: can you quickly define "near-term" and "long-term"? and how firm are those timelines?

jmayer: beyond "near-term" for us is 14 days
... not something like months

<chuckling and/or chortling from certain members of the audience>

jmayer: there are some exceptions
... particularly security/fraud -- all bets are off and we won't second guess
... what if personal information is embedded without your knowledge, etc., but if you actually know about a certain data, they should remove it for DNT users

dwainberg: I thought there were some limitations on security/fraud prevention

jmayer: 1) how long do you get to keep passively collected data around for security/fraud -- up to 6 months instead of 2 weeks
... 2) when you have a reason to believe; that is, not id cookies in every browser, add a cookie for IPs where you're getting a lot of requests
... and if you have a specific reason to believe, then the 6 month limit is lifted as well

ifette: cookies are active, so you can't keep set/retain cookies for fraud purposes?

brooks: when you mean "fraud", you don't mean the legal case of "fraud", you just mean the financial reporting

jmayer: click fraud, impression fraud, advertising fraud ... not getting into questions of criminal fraud

<james> while issue of security and fraud needs more thinking

fielding: distinction between slides/draft -- is the language and the substance consistent?

jmayer: this presentation was attempted to be high-level

dwainberg: step us through, what would a party do between first contact and when they reasonably know fraud may be undergoing?

jmayer: protocol information for 6 months, plus active measures for 2 weeks [may have mis-scribed that]
... this was based on talking to people at companies about how they do this now, that the most commonly used input is protocol logs, not the only input but the primary input
... also tried to verify how much better off would an attacker be?

<cspiezle> we need to look at a broader view of fraud, beyond ad click fraud

jmayer: a number of companies confirmed that they wouldn't be better off because adversaries already employ clearing/modifying cookies

robsherman: when I do have reason that fraud may be ongoing, how do I engineer my system to put a cookie on just the fraudster's browser?

jmayer: a variety of levels of concern about fraud; some companies were fine with just protocol information
... some companies, including ad companies, were more sensitive and did engineering that was dedicated to fraud
... a lot of online ad networks we talked to already had a two-tier system in place, with more techniques employed in those cases

<cspiezle> my concern wearing the hat of commerce and banking sites is to be sure we do not lmit or imapct their ability to detect suhc behavior.

Chapell: first parties pretty much have a free pass, except for not getting around third parties, right? -- yes. -- that seems to contradict tl's comments earlier, are we misunderstanding something?
... use of offline or other data combined with a first party's data, the earlier discussion

jmayer: business practice is like a newspaper that gathers data about the user, and then append the data from an offline party to the first party's profile of the user

Chapell: if Acxiom were here, they might argue that they're a service provider, so you might need to change that in the text

ifette: protocol includes "top-level url", you mean the full URL, not just the hostname, right?

<aleecia> Roy tells me Chris got ack'ed too early -- sorry, Chris!

jmayer: yes.

<justin> Chapell, If Acxiom were to commit to following the outsourcing/service provider rules, I suspect (?) that would solve this problem.

<aleecia> That makes Chris next

ifette: how many companies did you talk to that didn't use cookies for DoS of attacks?

<Chapell> Justin, I'm not sure - you may be right. But I think the offline data brokers would argue that they are outside the scope of this spec

jmayer: companies that already had cookies do use them now, but companies seem to think they'd be okay without them (not all companies)

<fielding> my bad

cspiezle: on transactional fraud, don't want to impact their ability (like banks, etc.)

jmayer: if you're trying to prevent fraud on your own (first party) site, this wouldn't have any impact, you can do the most intrusive tracking if you like
... you can share threat intelligence, limits lifted if there is a reason to believe

<justin> Chapell, That may well be the case --- it's just that you had suggested they would say their service providers. They might prefer to utilize/resell the information they receive as a result of an append. I do not know about their business models to know common practice on this.

<asoltani> 'innocent unless proven guilty' fraud detection approach

jmayer: certain companies where all they do is follow financial transactions, look for users' whose machines have been hacked -- would want to talk to them more about that

fielding: typically those groups are acting on behalf of a first party, but they store behavioral trails from multiple sites

<cspiezle> they are working on behalf of first parties

jmayer: wanted to solve the 95% use case

<cspiezle> perhaps small number of servce providers but they may provide services to 100,000 of commerce sites, banks, ISPs....

alex: given a currently unknown threat vector, attacker only has to change their protocol information every 6 months. can't go back through 2 years of data.

jmayer: yes, there would be that limit.

<aleecia> So I'm going to click on something a lot, and then stop, and then wait six months and then do it again?

<aleecia> And it won't get detected?

<dwainberg> Sort of like that, aleecia

jmayer: if you haven't caught someone trying to do click fraud within six months of doing it, then you won't have that data afterwards

<dwainberg> couldn't you roll out hundreds/thousands of user agents on a large number of IP addresses, engage in low level click fraud and have it add up to a lot of money.

jmayer: not generating this out of the blue, some companies thought they didn't need more, some companies wanted more, thought it was a compromise as many advocates were concerned about a browsing history for 6 months

WileyS: was one of your design considerations ready availability, scale and mass adoption?

jmayer: the privacy-preserving technologies that we have in mind include many that advertisers have said are unworkable

<rigo> and having a full clickstream of all of us for the past 10 years (at least) would be the dream of all spooks, wouldn't it? And we don't allow that for a government but allow the government to raid this private collection? I seriously question some of the asserted need for those extraordinary retention periods

jmayer: technologies where I see a consensus among researchers do work, though they would have some implications

<WileyS> Please note "implications on performance and revenue"

jmayer: no doubt that there's a runway period / grace period

<WileyS> Fail

WileyS: given that there's a disagreement between researchers and implementers, did you take mass adoption (by companies/implementers) into consideration?

jmayer: yes, talking to companies, aimed for balance, a guiding consideration

JC: if we're talking about multi-site behavioral data, why does DNT have any effect on Acxiom account data?
... that's not behavioral information, so DNT doesn't apply

jmayer: flows like these identified as a concern in small groups at Washington; very discrete sharing of information

JC: worried about scope creep

jmayer: focused on things that are not as narrow

<aleecia> JC would like DNT to address OBA; people involved in DNT earlier on see DNT as applying to data more generally. (If this is not write, please correct)

dwainberg: top-level domains and referers, many cases of 3rd-party ad-serving where top-level domain info isn't shared (because of iframes, etc.)
... sometimes you'll receive a domain name that isn't the top-level domain but an intermediate iframe

<JC> aleecia: I don't limit DNT to OBA, but online collection of data

<aleecia> ok, thanks for fixing that

jmayer: if you don't get the Referer in the header but it get it somewhere else (passed along as a URL parameter, for example) -- that's passive collection in the same sense, some advocates thought this was a concession but it happens with some frequency

dwainberg: can you share the list of companies you talked to?

jmayer: commonly have permission to talk to companies without revealing who they are, companies can identify themselves but I'm not comfortable doing so
... I thought it was a broad representation of both size and market sector, including more companies than I recall, including companies inside and outside of the WG

<JC> What is punishment?

tl: some organizations talked about concerns sharing regarding trade associations

hwest: concern about misrepresentation

<tlr> I don't think it's useful to think about this in terms of representation. This is Jonathan's take of where the industry is.

<tlr> He may or may not be right.

jmayer: tried to present it adequately, including qualifications in almost cases

<tlr> Now we need to have things about the impact of these ideas on the table here.

<aleecia> thank you, Heather

<aleecia> Thank you, Alan

<aleecia> Let's get through the discussion if we can

dwainberg: what do we do if there's a new fraud attack that requires changing these requirements?

jmayer: have to evaluate the likelihood of such a new attack, have an implementation period, can revise specification

<BerinSzoka> Well, if Jonathan's not concerned (about the unintended consequences of his rather grand proposal), that's good enough for me! </sarcasm>

amyc: operational practices such as billing with "Active" -- I'd like to understand that better

<efelten> Let's keep the tone civil, please.

<amyc> specifically, want to understand whether Jonathan thinks it is OK to use LSO or fingerprint for operational uses

jmayer: instead of having a billing exception, passive/actively collected used for a period of time for any use
... design motivations

<tlr> which I believe he did when he handed him a microphone

jmayer: based on current advertising company practices, including opt-out practices
... make it possible for external verification of compliance
... concerns about updating the standard whenever there's a new business model or business purpose
... don't want any new company/model to have to get a standards body's permission to explore a new business model
... give a protocol retention period given how many companies talked about how useful it was

<Chapell> While I recognize the importance of maintaining confidentiality when speaking with companies, and I certainly don't question TL or JM's ethics -- its very difficult to vet the accuracy of the claim that industry was widely consulted about this proposal without a better sense of the nature of the companies you've spoken with

jmayer: defaults
... this proposal says DNT can't be on by default, a concession as I and some others believe it would be a better policy if they could
... servers don't get to "second-guess" an expressed header

<Chapell> "industry" is a broad term -- sort of like "human" ---- some similarities, but lots of differences... making generalizations and extrapolations difficult

alex: external verification as a motivation: why would privacy advocates be against internal verification like audits?
... audits of internal operations, for example

jmayer: I think external verification is important: strong role of encouraging compliance, researchers and advocates can work with regulators to discover issues, invite media or public pressure
... this would allow that mechanism to continue working
... also gives consumer confidence

<aleecia> And then we'll be closing the queue, since we're done at 6

alex: but why don't you like internal audits? for example, when a party needs to collect some data

jmayer: these were advantages I saw to external rather than internal

alex: but can't you get all those advantages from internal audits? mathematically proven unlinkability can be audited for

WileyS: said advocates were making a significant concession, but creating an exception that swallows the rule. because DNT:1 would still have to be followed.

jmayer: gives an extra lever to say that browsers that set it by default are not in compliance with the W3C spec
... possible legal measures, public pressure
... couldn't claim to following the spec (which could otherwise be a deceptive practice)

sean: thx for presentation. didn't address exceptions/out-of-band consent...?

aleecia: not part of the original template folks were supposed to cover

fwagner: do you expect a complete overview of all affiliates of Microsoft? would that list ever be complete?

jmayer: believe it's very similar to the proposal Shane presented; I would hope that it would be mostly complete although maybe there would be some edge cases (cover the 95% case)

<erikn> Aleecia wanted a few minutes to wrap up.

<erikn> which I think is useful

<aleecia> we could talk easily another hour

<schunter> meetings should be 24*7 ;-)

jmayer: I believe this could deviate from user expectations and an area where regulators have expressed concern, so I think it was a substantive concession

<aleecia> on either proposal

fwagner: can you make a clear difference between unlinkability and anonymity?

jmayer: borrows some from DAA concept on deidentifiability
... not asking for Arvind to proof your data
... does ask for significant steps, beyond dropping an ID cookie, more like aggregation

<fielding> I heard no justification for why outsourced service providers are listed as an exception instead of being part of the definition of same "party"

fwagner: from a European perspective, collection of data while it's identifiable is still a problem with European regulations

<cspiezle> we nned to accept business users may opt in by defualt for all of their devices and users. We need to be sure we respect this even though the user did not turn on DNT, but the owner of the device did. Second ISPs could offer a pre-configured browser for max privacy and security protections. If a user accepts the browser with DNT =1 then this option needs to be respected.

schunter: jmayer talking about meeting his standard, not a guarantee of satisfying EU regulation


schunter: thanks for a productive discussion, civil ("no flying tomatoes ;)
... always talk about the differences, sometimes we set aside how much agreement we have

<aleecia> Ideally we have greater understanding walking out now

schunter: actually have a lot more agreement than we had, we're just not talking about those parts any more

<aleecia> Address is in the agenda

JC: caddy-corner for NE 8th & 110th, please bring your nameplates
... if you get lost, call JC! :)
... doors open at 8 o'clock, food arrives at 8:30

optional self-hosted dinner present here:


Summary of Action Items

[NEW] ACTION: aleecia to issue a call for objections on symmetry/minimum number of choices [recorded in http://www.w3.org/2012/06/21-dnt-minutes.html#action01]
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2012/07/11 15:45:23 $