SV_MEETING_TITLE -- 18 Jul 2012

good morning!

<rvaneijk> Hi, good morning!

Thanks, Sue, I was just looking up the syntax on that for you and here you're all set.

Good morning, Rob!

<suegl> good morning

<suegl> and thanks, Aleecia

<BrendanIAB> ??P17 is probably BrendanIAB

Indeed. Go, Zakim

thanks!

<eberkower> 646 654 is eberkower

<eberkower> thanks!

<Chris_IAB> that's me- 212

Thanks, Nick

scribe is aleecia

<fielding> The IETF meeting is in two weeks

schunter: today would like complete version in two weeks, review actions and get pieces in text to have a complete draft to review as a group
... any comments on agenda?

schunter, no comments on agenda

schunter: would like to narrow down dates for f2f

<ifette> Matthias, I need to drop Zurich from our list of offers. We can still offer London but our Zurich room will not accommodate enough people

schunter: would like quick note of conflicts

Ian - noted, thank you

<WileyS> Last week of September is looking best (based on current date). Second week of October is IAPP Privacy Academy in San Jose

<susanisrael> 917.934.xxyy is susanisrael

schunter: please put conflicts for sept and oct into IRC

…sept 3?

<ifette> Sept 3 is right during/after IETF

<ifette> no go

<tedleung> zakim aamm is tedleung

…sept 10?

<justin> Sep 10 no

<rvaneijk> 10-12 Berlin meeting

<Chris_IAB> Sept 25/26th look pretty good from an industry POV (shows that I know of)

…sept 17?

<johnsimpson> who is on call?

<rvaneijk> sept

<WileyS> We require 8 weeks notice - so only Sept 19th forward can be considered

<rvaneijk> yes conflict

<tedleung> i cave conflicts the week of 9/10 and 9/24

<dwainberg> sept 25/26 are not ok

<susanisrael> sept 17 and following week not good for me but that's personal. October much better

<WileyS> Agree with Chris_IAB - last week of Sep is looking best based on other activities

<Chris_IAB> There is an industry event on Sept 20th in NYC that many will attend

<vincent> 25/26 not ok for me as well

<jchester2> Oct 23-24 is DPA conference in Uruguay, http://www.privacyconference2012.org/english/home/

<fielding> ifette, IETF is two weeks from now (Jul 29-Aug3)

<ifette> week of the 25th sept is best

<ifette> roy sorry, was mixing august and september :)

<justin> Agree with ifette

<WileyS> Week of Oct 1st then?

<JC> +1

…week of sept 24 seems best so far

<tedleung> week of oct 1 works

<justin> I could live with first week of October too.

<dsinger> we're looking for 'major' conflicts (common ones)

Nick, conflicts then?

<susanisrael> there is a jewish holiday that week

<vincent> same for me :)

<alex> +1 Oct 1

<susanisrael> yom kippur

quite, thanks

…week of Oct 1?

<justin> Do we have a host for first week of October?

<ifette> It conflicts with Oktoberfest

<vincent> lol

<justin> Define "conflicts" :)

<WileyS> LOL

<ifette> (the first week of october)

<Chris_IAB> I like Ian's conflict!

<Chris_IAB> let's have it there!

<johnsimpson> what city are we considering?

<Chris_IAB> W3C tent?

Matthias, once we have a week we want to meet we will try to find a host perhaps. Sounds like a suggestion to have the meeting then :-)

<justin> That's a feature, not a bug.

<ifette> Our munich office is to big enough :(

<ifette> not big enough rather

First week of oct is OTA forum

<Chris_IAB> October 1st and 2nd are out-- BIG event in NYC

Matthias, second week of october?

<WileyS> 2nd week of Oct conflicts with multiple events - OTA and IAPP

<tedleung> can't do 2nd week of oct

<Chris_IAB> Advertising week in NYC is first week of October

<justin> There's an Amsterdam privacy conference second week of October too.

<WileyS> Yes - I'll be speaking - with Justin Brookman

<dsinger> third week of october has me at mpeg shanghai (oct 15th)

IIAP even week of oct 8th

<rvaneijk> why not putting up a doodle?

<tedleung> i can do oct 15

<Chris_IAB> Monday October 8th is a US Holiday

schunter, oct 15?

<schunter> Oct 1

<WileyS> Feels like its either the last week of Sept or 1st week of Oct

<schunter> TPAC: Oct 29ff

<WileyS> Let's not meet over Halloween again...

<tedleung> if we are into oct, i would vote for TPAC

<npdoty> we may need a Doodle as well, but hearing maybe towards the end of the week on the last week of September

schunter, can do last week of oct or last week of sept

<Chris_IAB> First week of October is Advertising Week in NYC... for industry folks and others

so we should look for rooms at that time

<dwainberg> my vote would be week of Oct 1

<johnsimpson> seems like we're getting very late in year...

<schunter> ok. I will send a doodle for last week of september, oct1, oct 29.

<justin> Second vote for week of Oct 1.

schunter: doodle pool for last week sept, week starting oct 1, week starting oct 29

<Chris_IAB> is the Jewish holiday the entire week?

<Chris_IAB> except people can't travel before

wileys: is the holiday the whole week?

<johnsimpson> yom kippur is Sept 25 and 26 I think

<ifette> We can host that last week in september, but cannot host the first week of october, i don't have any large rooms open

<vincent> it's just the 26

?: would be 24th - 26th, and there's also travel.

<schunter> ok.

thank you, Ian

<dsinger> google: Yom Kippur begins in the evening of Tuesday, September 25, 2012, and ends in the evening of Wednesday, September 26, 2012.

<Chris_IAB> can we do later in the week of Oct 1st?

schunter, now looking for Oct 1 or Oct 29th

<johnsimpson> so nothing woks in Seopt.?

<npdoty> Chris_IAB, how late in the week of Oct 1st avoids the advertising event conflicts?

<ifette> it can't be in munich the first week of october, hotels are impossible

schunter, we'll look for hosts for those dates

<dsinger> I think we should meet separately from and before TPAC, and have only a short cross-group session at TPAC

<fielding> is it either or both?

<ifette> if munich was a serious suggestion

<justin> Would strongly prefer week of Nov 5 to Halloween week.

<Chris_IAB> those with kids, Halloween in the US is on Wed, October 31st

sounds like week of oct 1 will be best

<justin> I cannot make that week at all.

<Chris_IAB> for people with kids... I'm personally ok

<Chris_IAB> it's also ad:tech NYC

<WileyS> Justin - are you saying you can't make the 1st week of Oct?

<tedleung> i already have to go to tpac

Ian you weren't able to find a room week of oct 1?

<Chris_IAB> first week of November

<justin> I can do Oct 1; I cannot do week of 29th.

<dsinger> halloween is already TPAC, with many of us busy with other groups as well

<tedleung> so 2 trips to europe in oct is kind of killer

<WileyS> Justin - thanks

<Chris_IAB> first week of November is ad:tech NYC

<WileyS> Appears Oct 1st is best week - now to find a host location

<Chris_IAB> and NYC Marathon

no matter what we pick, someone is going to be unhappy

<ifette> We can probably host in London a meeting starting 10/30

<justin> Sure.

<ifette> (tues)

<dsinger> right, I will be (AC Rep and other things)

<adrianba> TPAC 2012 -> http://www.w3.org/2012/10/TPAC/

matthias: we could do TPAC?

dsinger: we would need a lot of progress before then, and space is an issue, but we could do that

<Chris_IAB> November 5th is the IAB Ad Ops Event

<npdoty> w3c has considered the possibility of reserving an additional large room for us to meet, if we decide that's what we want

matthias: will do doodle poll from here
... where are we on minutes?

<Chris_IAB> sorry, what are the proposed F2F locations in Europe?

npdoty: behind on minutes, started cleaning up minutes from f2f and that's overdue. some earlier minutes are done but not published. will finish by end of the week and send email.

<vincent> Chris_IAB, london if I understand correctly

please

<Chris_IAB> vincent, thanks

<schunter> http://www.w3.org/2011/tracking-protection/track/actions/overdue

schunter, starting with action-169, rigo?

…not on the call.

<npdoty> Chris_IAB, vincent, we've heard from possible hosting options in London, Athens, Brussels, Frankfurt, Lyon

<vincent> thx npdoty

… sending a reminder to Rigo is in order; Nick will follow up

<dsinger> he has text in email; is it still open?

… action-186, Justin

<Chris_IAB> loving Athens ;)

justin, it's in the editors' strawman draft

designer, action-169 is done and needs to be integrated

<Chris_IAB> I hear they need our money too ;)

schunter, we should review first

… text from Rigo is for TPE or compliance?

(we can figure this out offline)

<npdoty> sounds like it's for the compliance doc and we should have Rigo follow up with Justin and Heather

dsinger, looks like compliance

<justin> I can incorporate this into the definition of party.

thanks, Justin

schunter, justin's action - also in strawman draft - closing

<WileyS> +q

schunter, action-214

<WileyS> Hello?

schunter, action-213 jonathan?

<justin> Fine with me.

<justin> I'll move them to pending.

<WileyS> Thank you Justin

swiley, can we move justin's actions to pending review rather than closed?

<fielding> we don't need to discuss an action -- discussing the text is different

schunter, good

<npdoty> we've been using the phrasing "closing" for an action, but that wouldn't close an Issue, and we commonly move the actions to "pending review" anyway

nick, will be in touch with aleecia on infrastructure which is done

jmayer, please leave action-213 open, not finished

<rvaneijk> Action-215: I have the pictures from Rigo and will send them to npdoty

<trackbot> ACTION-215 Send Nick photos from whiteboard to include in minutes notes added

<susanisrael> i have proposed language for first party/third party/affiliates that I will send soon to justin

schunter, action-215

nick, will follow up off-line to get photos for minutes

<schunter> thx

<jmayer> Apparently this is an action I'm supposed to work on with Ian and Roy...?

If you have photos, please send to Nick

schunter, action-216, is brooks on the call?

<fielding> jmayer, I have no idea what that is about

nick, will send reminder to Brooks

<jchester2> attack on DNT in US publication, FYI: http://thehill.com/blogs/congress-blog/technology/238373-online-privacy-do-we-need-do-not-track

schunter, action-220 dsinger wrote a proposal; should review

<jmayer> Is it maybe for the Compliance treatment of unintentionally received data?

schunter, action-223 not done, leaving open

<npdoty> hwest, action-225 is due today, any updates?

<justin> If you guys want to fix the definition of collection/tracking to accomodate this, be my guest. Otherwise, I am tackling that on Friday.

<schunter> http://www.w3.org/2011/tracking-protection/track/products/2

schunter, looking at open issues

<npdoty> jmayer, yes, I believe that's the context for that action

<WileyS> yes

schunter, change issue-84 to pending review? yes.

<WileyS> No

<WileyS> Saying Yes to the move

<dsinger> issue-136?

<trackbot> ISSUE-136 -- Resolve dependencies of the TPE on the compliance specification -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/136

<jmayer> There's language about that in the EFF/Mozilla/Stanford proposal. I'll send it to the list.

schunter, issue-136, editors' issue on dependencies

schunter, issue-137, should be service provider flag but rest is not visible in communication. Remembered correctly?

… suggest creating an action to get service provider flag sorted out, any input?

npdoty, seems this was an open area of disagreement. Tom and Ed suggested user might benefit from having this as flagged since data sharing changes.

npdoty: not just one side on this issue.

<fielding> I am not aware of any service providers that are willing to implementthat.

<ifette> i thought we said service providers were basically the same as the party

sorry -

<ifette> (e.g. not calling them out explicitly to users)

schunter: start with text and see what comments we get back

… Roy, will you take the action to remove service provider flag from header?

fielding: ok

<efelten> Do we have consensus on this?

<fielding> (of course, I just added that flag last night)

dsinger: are we saying outsourced should be indistinguishable from first parties?

fielding: not relevant

<rvaneijk> wow, the flag get's from the table just like that. I remember a good discussion on that in Seattle.

dsinger: very relevant, different legal liability

<jmayer> Um, what?

dsinger: I'll let it go

<dsinger> they are different parties, without question.

<johnsimpson> what are we dropping again, please?

<jmayer> +q

<jchester2> I agree that we need to make such a distinction

rvaneijk: remember Ed Felten explaining this is important and in the EU context as well

<jmayer> -q

<jmayer> +q

<ifette> we seem to be not even agreeing on things we already agreed to in our previous meetings

rvaneijk: dialog you get with user is different from contract and contract with service provider

schunter: what's the difference?

<dsinger> "I am Matthias" and "Im am acting solely on behalf of Matthias" are pretty different statements. I hope.

<Chris_IAB> legally, in the US, doesn't the first party include their contractors?

rvaneijk: if you're a legal processor you aren't just part of the first party, would decrease transparency. service provider flag very useful. In favor of keeping the flag.

<jchester2> the data processor even as outsource may engage in different actions that raise concerns for users. Keep the flag

<schunter> rob: 1st party should only be claimable if you are contracted to be a service provider.

<vincent> I though Rigo opposed to that idea of distinguishing first party and outsourcing (might be I misunderstood)

<schunter> Other helping parties may not be permitted to be 1st party.

fielding: had that discussion with European regulators and they say the opposite. There's no requirement to reveal themselves to users, and there's a contract.

<ifette> Are we going to require every hosting company, every router, every proxy, etc to add some service provider flag?

<Chris_IAB> every contractor?

…would love to have language for "data processor as defined by the EU" but I can't - many service providers involved.

<Chris_IAB> it would result in white noise

…ridiculous to say there needs to be an S on the flag because there's a service provider involved, that's non-sensical

<dsinger> sorry, this is separate from outsourcing, then?

schunter: will process the queue

<jchester2> Transparency for data service providers is good for public.

<fielding> Transparency can be in the human-readable policy

efelten: different cases here. 1. existence of separate entities is not visible like hosting. 2. obvious like different entities, like analytics companies. is the analytics company claiming to be a service provider or a first party in their own right?

… when they are visible should be clear what role they're claiming.

<Chris_IAB> isn't it up to the first party to provide the protections to the user, for it and all of it's contracted service providers... the legal liability would be on the 1st party, no?

jmayer: agree with Ed, add another motivation that very concerned about service provider exception. potential for abuse. collecting a lot of information. need ability to understand who claims the exemption and how they use it.

<schunter> Let's close the queue

… are they using technical measures, are they analytics, or are they doing something new? can't tell without information.

<Chris_IAB> doesn't the 1st party actually claim the exception for it and it's service providers? can someone please clarify?

<fielding> efelten, if the user agent can figure that out by domain, then it already knows that it is a separate legal entity. The response of 1 from such an entity on a different site's page is exactly the information you need.

schunter: ok, don't have agreement. need to gather inputs.

<susanisrael> are you going to return to the queue

schunter: would like actions assigned to generate text

<fielding> I will reiterate, I am not willing to implement that flag.

… won't solve this in the next two minutes

<efelten> No, there are two different claims that bar-analytics could be making: (1) I am a service provider to foo.com, and will silo data. (2) I am a new first party in my own right, and therefore won't silo the data.

<ifette> +1 to missing due to IETF

fielding: won't make call in two weeks

schunter: can do in three weeks if needed

<Chris_IAB> under the current draft, does the service provider need to exercise the exception, or the 1st party on behalf if it and its service provider(s)?

… point is, won't solve this right now

<dsinger> can we ask Jonathan and Roy and maybe one or two others to write up an issue discussion (email)?

… we'll write texts and take it up again

<ifette> ack

susanisrael: trying to understand since talking about multiple things when talking about service providers

<jmayer> I would add that I don't think the hosting platform should be exempt from sending a service provider flag.

<fielding> efelten, that information would be in the human-readable tracking policy

<jmayer> E.g. wordpress.com could send this.

<Chris_IAB> well stated... need the clarification

… as designated by first party under contract, no right to use data independently. if that's the defn, that affects if we need a flag or not. if just any company can claim it, that's different. can we clarify that?

<npdoty> Chris_IAB, as I understand the current draft, the service provider exception exercised by a first party (like some backend process) would only need transparency in a privacy policy somewhere, but a service provider that responds to an HTTP request would note an "s" as well as a "1" in their response

schunter: Who wants to take the lead to work on this?

<ifette> +1

… if no one's interested, I'll drop the flag

<ifette> +1 to Matthias' suggestion

<Chris_IAB> thanks Nick

<fielding> no, I did

<jmayer> I don't agree with the point Susan just made—a contractual obligation doesn't in any way obviate the minimal burden and significant value of a service provider flag.

<susanisrael> Maybe some of the first party -third party language clarification in compliance section may help

npdoty, Tom had already written it into the draft, we already have text

schunter: but if no one wants it we should drop it

<jchester2> we need to keep the flag

<jmayer> Seriously, matthias?

<susanisrael> I don't want to lead but can offer some language

<dsinger> I can help collect opinions next week if we need a leader.

dsinger: but we do have people who want it

<Chris_IAB> seems like if we are going to add modifiers to DNT:, industry may have a ton of additional flag requests beyond the "simple" binary approach

schunter: concrete action is understanding the user cases and seeing if the text we have now meets them

<dsinger> if Ed, Jonathan, Roy and others who have opinions, points etc. can email their pieces, I will try to assemble them into an issue-presentation email

… do we have something a user agent can act upon usefully?

<susanisrael> dsinger, i will email you some language

<Chris_IAB> to the user, would there be any effect of the flag?

… should limit ourselves to make sure there is value to the information

<Chris_IAB> of is this just for audit purposes?

<WileyS> Chris, appears this is for audit purposes only

dsinger: will lead with others

<dsinger> issue-137?

<trackbot> ISSUE-137 -- Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s) -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/137

schunter: issue-137 in your email, please

… nick, please create an action for this

<Chris_IAB> WileyS, would be good to understand and validate the motivation for the flag... a real use case?

<npdoty> Chris_IAB, the response header is currently not binary, but if you have use cases that aren't captured by those response values, I expect the editors would be very interested

<WileyS> The only Compliance and Scope overhead for a Service Provider is separation of data for each 1st party they are providing services for.

schunter: issue-140

issue-140?

<trackbot> ISSUE-140 -- Do we need site-specific exceptions, i.e., concrete list of permitted thirdparties for a site? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/140

schunter: should be pending review, part of David's draft

… moving to pending review if no objections

<Chris_IAB> npdoty, I would propose the the header itself not be binary in that case... opens a can of worms... some worms may be useful to some and not others... but they are worms

npdoty: based on proposal from last night?

<WileyS> Yes - we need site-specific exceptions - what is the question at this point?

… have had other proposals for six months here

schunter: yes, we need to discuss them

<WileyS> Perhaps David can present his proposed text as this point?

… issue-145, discussed and reflected in the current text?

fielding: half way there. Not in header fields yet

schunter: ok, leaving open because text is not 100% there. Is there an action to finish this?

fielding: issue-124, but not action

<npdoty> dsinger, I was just referring to previous versions of the site-specific exceptions text (from you, from tom, from me) that we had looked at over the past months

[discussion of internals on tracking the draft]

<fielding> yep

<fielding> 145 was a discussion completed in Bellevue

<npdoty> ACTION: singer to collect input (from Tom, Jonathan, Ed, Rob) on needs for a service-provider flag and compare to current draft [recorded in http://www.w3.org/2012/07/18-dnt-minutes.html#action01]

<trackbot> Created ACTION-227 - Collect input (from Tom, Jonathan, Ed, Rob) on needs for a service-provider flag and compare to current draft [on David Singer - due 2012-07-25].

schunter: last open issue, issue-156

issue-156?

<trackbot> ISSUE-156 -- Add a list of data processors to tracking status -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/156

schunter: Tom is not on the call?

<ifette> ISSUE: charter is running out and we need to agree on whether to extend or recharter and what a revised charter would look like

<trackbot> Created ISSUE-157 - Charter is running out and we need to agree on whether to extend or recharter and what a revised charter would look like ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/157/edit .

… data breach, user can see what parties have stored data about them. Increased transparency

<npdoty> I suggest we assign an action to Tom to draft the reasoning and the proposal for 156

… Roy comments that contracts for service providers bars publishing their names

… what to do about issue-156?

<fielding> often

<WileyS> +q

<fielding> this is for a field in the resource

wileys: thought we had a resource for third parties. issue-137 related.

… optional resource link to data processors?

<fielding> yes, an array like "partners" and "same-site"

<npdoty> WileyS, you're suggesting that this is already covered by the `partners` field?

… if it's optional it's less controversial but they are linked

<fielding> TL wanted it to be mandatory

<WileyS> No - this is a net new resource list

schunter: issue-137 was a flag not a URI or additional information

<dsinger> That was my understanding; that if someone claims "I am acting on behalf of the 1st party" the 1st party could have a list that verifies that (optionally)

<WileyS> I don't agree with mandatory

<WileyS> I agree with optional

… how do we handle data processors and service providers, if at all.

… what do we need to communicate to user agents, and how to convey this information?

<fielding> dsinger, different issue -- that is same-site

<WileyS> But don't feel its helpful to have this list if issue-137 resolves with no distinction between 1st party and service provider in use messaging

<WileyS> "user" messaging

… let's leave it open and discuss under issue-137, if we need a URL then we'll resolve this too at the same time. If we don't have a user case, should ask Tom why we need it.

<npdoty> I suggest rather than speculating we assign an action to Tom who can explain what he had in mind, and suggest to him that maybe it's already covered by existing fields

<jmayer> Agree npdoty.

… postponing issue-156 and add note in issue-137 to link them

<jmayer> +q

jmayer: Nick's suggestion, ask Tom what he had in mind. Seems reasonable.

<fielding> "Tom has requested that users be able to see who is going to retain the data from tracking such that the user can know their data might have been compromised if there is some later breach announced."

schunter: postponing issue-156, link in issue-137, Nick please send a note to Tom

<fielding> (I put it in the issue description)

<ifette> we have an open issue not discussed

<ifette> ISSUE-157?

<trackbot> ISSUE-157 -- Charter is running out and we need to agree on whether to extend or recharter and what a revised charter would look like -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/157

<jmayer> fielding, unclear if that means a list of third parties, service providers, corporate affiliates...

ifette, charter expires this month

<fielding> data processors (service providers for *this* domain of WKL)

npdoty: Thomas is not on the call today, but if you have comments on how you think charter should look, should have heard back from Thomas already. If not, follow up with me

<WileyS> We need to have this discussion

<WileyS> +1 to Ian

ifette: Thomas' response was he expects things to continue as-is, which is not what many of us discussed. Want to involve the whole group not one-off discussions.

<jchester2> What's the problem extending this for 6 months so we can finish up. Is there anyone that opposes an extension?

npdoty: commonly go through consortium not the group, since not substantive.

ifette: would like to request time on an upcoming meeting to discuss it

<jchester2> Ian: Can you tell us Google's concerns about the charter extension?

npdoty: sharing how we commonly do this

<Chris_IAB> it would be good if everyone understood and were aware of charter discussions, I agree

<dwainberg> I agree, and have proposed this to Thomas via email as well.

<Chris_IAB> agree with Ian

ifette: number of people want to discuss this, heard this in f2f and on mailing list. Should set aside time to discuss this.

<dsinger> now we have an issue, people could write emails with their concerns, linked to the issue...

schunter: will take this up on the next chairs' call and discuss with Thomas, Nick, Aleecia, Matthias.

<jchester2> Let's put the charter on the agenda--so the public can understand what the positions are.

<ifette> 157

… like David's suggestion of putting this on the mailing list for issue-157

<Chris_IAB> lots of stakeholders now, representing many different interests, will ALL be interested in if/how rechartering goes

… will discuss how to move forward on the next chairs' call

ifette: what does that mean? Will there be time on a call?

schunter: need to talk to Thomas, but need to know what the status is

<ifette> great

… cannot assess the status to make a decision on what to do

… cannot promise a discussion next week when I don't know what Thomas needs

… but would like your input besides just changing the date

… next item on agenda

<fielding> TPE diff since last WD that I mailed this morning is archived at http://lists.w3.org/Archives/Public/public-tracking/2012Jul/att-0109/tpe_diff.html

schunter: will hear from David, then Nick, then what our next actions are
... David, please summarize new proposal and what changes made?

dsinger: explicit parameters to site-specific, was out for several weeks. Revised based on f2f, removed explicit list from API and can use partners list.

… doing just a diff

… two sets of APIs. specific APIs for first party, and then web-wide for what happens on the WWW

… prior version had specific list of sites

… concerns that UA couldn't do this well and bad user experience

… resolution at f2f was to remove parameter and have partners list in well known resourse

… processing model was not implementation. what does UA have to remember, what is the matching rule

… in 6.4, JS API for site-specific is just a call back.

… changed the UA behavior to use list of targets if it exists, or * if it does not. May use * even if partners' list exists

… ends up in database.

… much simpler: removes everything it remembered about that site [missing a bit]

… web-wide exception is not changed in this process

… why SHOULD list? sites have different classes of parties, good relationship and contract, need to get permission to track properly.

… but they may be pulling in third parties the top party is unaware of. Top party may wish to distinguish them, so that's why I wrote it in that way. We should discuss.

… top level origin, domains, split -- Nick has better language to improve it.

<ifette> what is the purpose of the site specifying the siteName in the js call?

… processing model is a model, not a mandate for how things work

… implementation is up to sites

(I could use time to read this!)

<dsinger> s/sites/agents/

schunter: start with questions of understanding

ifettte: What's the siteName parameter in section 6.4.1.1?

… supposed to be origin of the site but doesn't the browser know?

dsinger: human-readable. New York Times, not nytimes.com

… can clarify

<Zakim> ifette, you wanted to ask what is the function of the siteName parameter

<Zakim> npdoty, you wanted to answer

<Zakim> fielding, you wanted to say I am not fond of methods that have no indication of success, like removeWebWideTrackingException -- how will a UI provide feedback to user?

npdoty: been in the proposal from feb, that's right, human readable

fielding: would prefer callback methods

… let JS know it succeeded or not

… remove webwide tracking exceptions

dsinger: no failure possible for that

<npdoty> the proposal from Tom in February is here http://www.w3.org/mid/4F4E6C1A.9010606@mozilla.com

… didn't think it was necessary

fielding: in theory, yes but there's always a failure mode. like UA crashed, interface between -

dsinger: ok, I see. Internal processing error
... editors will work on this

schunter: other questions of understanding?

… will jump into discussion

<ifette> This largely reflects what I remember we agreed to in Seattle...

<npdoty> ACTION: singer to update remove methods to have an appropriate failure mode [recorded in http://www.w3.org/2012/07/18-dnt-minutes.html#action02]

<trackbot> Created ACTION-228 - Update remove methods to have an appropriate failure mode [on David Singer - due 2012-07-25].

<fielding> s/UA crashed/UA thread crashed/

… would like to see if there are requirements not reflect in the draft, or improvements

adrianba: callbacks - if we add a callback to change the execution to be async, was that deliberate?

<fielding> fine with me

<ifette> no sync apis

… can we keep it as a synch call and indicate success?

<npdoty> +1 to adrianba, failure for the remove call can be synchronous

<ifette> what are we adding a sync api for?!?!?

npdoty: ask if UA has to make separate HTTP request?

… in order to complete the exception call. And do we want that?

inaudible

schunter: if UA needs the info we need to make a separate call

npdoty: we're saying they should

<ifette> -1 to SHOULD

<ifette> MAY sure, but not SHOULD

schunter: why receive information they don't need?

npdoty: text says SHOULD

<dsinger> "The user-agent should use the partners as the list of targets, if it exists, or a list containing the single special string “*”, indicating all targets, as the target if it does not; it may use a list of the special string “*” even if the partners list exists."

dsinger: may be important to have third parties in two classes

schunter: if first party doesn't care, that's it, doesn't matter

<ifette> Where is the SHOULD fetch we're discussing in the text?

<npdoty> "The user-agent should use the partners as the list of targets, if it exists, or a list containing the single special string “*”, indicating all targets, as the target if it does not; it may use a list of the special string “*” even if the partners list exists." implies a fetch to get the partners list

<dsinger> ifette: I posted the sentence above

dsinger: removal of parameter means first party can no longer say "I don't care" need partners list

schunter: should leave it to the UA.

<adrianba> ifette, in the requestSiteSpecificTrackingException method

<ifette> i would not agree with that sentence

<JC> +q

… asking user for any third parties on the site should be ok

<jmayer> +q

… would like different behaviors from different UAs

(scribe breaking)

<Chris_IAB> a partner list/ contractor list may be considered competitive information

dsinger: let's back up and talk about in- and out-of-bound exceptions

… should we have both? (b) will in-bound be acceptable to anyone?

… API may be completely worthless.

ifette: to David's point, need way to store in UA if blocking third party cookies by default. Need to store.

… understood in Seattle moving to URI because up to the browser to deal with it or not. Thought that was the whole point.

dsinger: should is a recommendation not a mandate

ifetter: should is a must unless there's a strong reason not to

<schunter> MAY

schunter: understand Ian as saying wants a MAY not a SHOULD. can everyone live with MAY?

<jmayer> How about a "Best Practice" note on this.

dsinger: means a site that has two different classes of partners can't do that any more

<jmayer> Roughly between a MAY and a SHOULD.

ifette: yes, but that's what we discussed in Seattle

… which API to make it sync?

dsinger: for processing errors

schunter: site can offer this info to UA, but UA may not do anything with it

<dsinger> (the remove calls are synchronous but will have a return value in case of processing failure etc.)

… can ask user "are 3rd parties ok here?" like on a small device. Shouldn't outlaw different types of UAs

dsinger: spec as written does not outlaw that

<schunter> MAY

dsinger: perhaps change language here to suggested behavior

<WileyS> David, Jonathan had offered up the idea of a "Best Practice" note - I agree with that approach

schunter: common use for this list is … and how UA would put it to use

<adrianba> SHOULD is a very strong requirement - MAY is better

dsinger: will work on it

<schunter> ok.

<fielding> removeWebWideTrackingException was the API (actually, I thought it was async or at least might call an async action internally, hence the need for some kind of "failed to complete" response somewhere)

schunter: looking for MAY

<ifette> I don't want to be called "not a good user agent" or "not best behavior" if we don't do that

dsinger: need more than MAY, best behavior. We can work on it

schunter: ok, please review and we'll take a look

<Chris_IAB> in any case, should we clarify that its not a requirement (in the text)-- so as to be clear?

… many different UAs may do different things

<dwainberg> this sounds like a policy issue

<Chris_IAB> or not an absolute requirement, depending on the use case

<ifette> david, it should be clear that you don't have to use it

dsinger: clear that no need to fetch the list if you're not going to use it

<dwainberg> it's either a technical requirement or not, right?

<ifette> we should not say you SHOULD use the list

<WileyS> David, with that in mind that means "MAY" is appropriate here

<WileyS> The practice is a "MAY", if a UA opts to engage in that practice then they SHOULD do the following things.

dsinger: not a policy issue really, what can sites expect from UAs? Who gets a DNT:0 in the future, everyone or the list I care about? What's the sort of contract between sites and UAs?

<schunter> Important goal for UA: All people on the list get DNT;0

<Chris_IAB> good question: who's enabled the sending of DNT:0 today? I count none thus far...

schunter: important point is that people on the list get DNT:0. How many and under what conditions is up to the [unclear]

<jmayer> I've put together a prototype of Do Not Track exceptions: http://webpolicy.org/2012/07/02/do-track-browser-based-do-not-track-exceptions/

JC: list of 3rd parties is dynamic. If Monday user says ok and Tuesday the list changes, putting the list in front of the user a second time isn't useful

<ifette> +1 to JC and yes I hope it's transitive

… is this transitive, if a 3rd party needs another party, does it flow to them?

dsinger: what happens with redirects? If your site is very dynamic, you need to ask for all

JC: are we saying the user trusts the site and all their third parties? Otherwise can't see how this works well

<ifette> JC, that's why I've been arguing against enumerating third parties from the beginning

schunter: Rigo proposed language for the recursive condition

JC: dynamic aspects, though

dsinger: that's why I have concerns about the whole model

… putting that into the UA

schunter: but Ian's point, we need to store exceptions

dsinger: cookie-like behavior?

schunter: API more limited than a cookie

dsinger: will take this off-line

jmayer: three points. first, JC's point on dynamic third-parties. two ways can deal with it. one, site-wide. takes dynamism off the table. two, as an optional or always or never on, multiple levels and surface them to make decisions.

… point two was Ian's, storage mechanisms. simple API for "I pinkie swear I'm storing user pref on privacy, whatever you block, let me save just this." If storage is the only problem for out-of-band, we can solve that.

…point three, don't have agreement on list approach or explicit API approach

… explicit is so much better because list approach has same functionality. Anything in a list can be expressed either way.

… only difference is in how browsers and websites implement

<schunter> List has advantage of discoverability.

… building explicit API is straight-forward.

<ifette> Right, I though though that we kicked it out to a list instead of in the API because we wanted to make it explicit that it was totally optional whether or not the browser wanted to fetch the list, and we suspected a number of browsers would not want to fetch that list

<dsinger> yes, moving the list to the well-known resource, and making it optional whether the UA takes any notice of it, are quite orthogonal, I agree

… snapshot approach and sending DNT:0, caching, periodically checking it. website calls JS API, objects in webs tie to tweak, customize to user or quickly, anything other than static list for all users

… no brainer to go with explicit model

schunter: running out of time. empty queue, David to update proposal

<dwainberg> time has run out -- can we please postpone further discussion?

… understand Jonathan's point, explicit API is equiv, and if everyone can live with it that's fine

<dsinger> as I understand it, I have to provide return stati for the cancel calls, and improve the 'should

… will look at David's update

<Zakim> npdoty, you wanted to suggest that it's long been optional

npdoty: support option for UAs

<jmayer> Matthias, I don't think you're going to hoodwink objectors by swapping the API for something nonsensical.

… can have different UIs, list or not.

<schunter> Explicit API cannot make the list optional.

<dsinger> I want to discuss IBE vs. OOBE though; we may be fiddling with the paint on a ship that's sinking

<schunter> (to the user agent(

… proposal since feb, can use that.

<schunter> )

<ifette> nick, "since february" with many outstanding objections

<jmayer> Why can't an explicit API be optional?

… will follow up more offline

<Chris_IAB> I'm curious to know why those browsers who have implemented DNT thus far, have only implemented DNT:1 or null (and not DNT:0)?

<ifette> objections since february :)

schunter: thanks all.

dsinger: can be optional
... orthogonal issue

<jmayer> Options: don't offer the API, automatically swap calls for site-wide requests, ...

schunter: can stay online for anyone who can stay

<ifette> bye bye

<npdoty> ifette, I just meant, if your concern was just making it optional, that functionality has been long available

dsinger: have to go

schunter: call on compliance spec next week. thanks!

david has to go

- DRAFT -

SV_MEETING_TITLE

18 Jul 2012

Attendees

Contents

Summary of Action Items

Scribe.perl diagnostic output