SV_MEETING_TITLE -- 26 Sep 2012

<aleecia> good morning, Tom

<aleecia> and good morning Thomas

<JoeHallCDT> Good morning, Aleecia! (Sorry for the delayed response, yo)

<aleecia> No problem. Nice to see you.

<WileyS> Testing

<rigo> Test failed

<WileyS> Rigo :-)

<aleecia> 408 is not SF :-)

<WileyS> 408 is more of the bay area - that is the same area code we use at Yahoo!

<aleecia> 415

<WileyS> But "Zak" already has me so it must be someone else from Silicon Valley

<aleecia> That Rigo knows roughly where US area codes map to is both impressive and scary :-)

<aleecia> Any volunteers to scribe?

<Simon> 303 area code is me

<npdoty> volunteers to scribe?

hi aleecia that's chapell

sure

<npdoty> scribenick: Chapell

<rigo> scribenick:Chapell

<fielding> http://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

<npdoty> I think Alan sent that out and we're having discussion on the mailing list now

<johnsimpson> Did call fail??

Amy: will have cleanup of language by friday

<npdoty> schunter, can you update those actions in the tracker?

<scribe> ACTION: 256 to DWainberg -- pending review [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - 256

<npdoty> heather: couldn't determine the context of the group from the minutes

<johnsimpson> am back in

<WileyS> text complete - Vinay found one typo

SWiley: Third parties acting as first parties language
... other than typo, language is ready to go

<npdoty> WileyS, so the text is here: http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0150.html

<BerinSzoka> I'm 202.642----

<BerinSzoka> oh

<BerinSzoka> actually, sorry

<BerinSzoka> yes, I'm 681

<BerinSzoka> called in from a different gtalk this time

Aleecia: rundown summary of issues
... action 246 -- DWainberg gave a response --- asked for more specifics

<dwainberg> I'm on it, and expect to have something soon.

Aleecia: change it back to open

Issue 148: HWest to ask some sections to the compliance document -- will update to the list

<rigo> action 119?

<trackbot> Sorry, bad ACTION syntax

Issue 119: Absolutely not tracking. Some responses, but not worked through yet

<WileyS> Rigo, what committment - that a Server is W3C DNT compliant? If that's your angle I completely disagree (but you know that already)

<dsinger> issue-119?

<trackbot> ISSUE-119 -- Specify "absolutely not tracking" -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/119

f2f

<npdoty> http://www.w3.org/2011/tracking-protection/agenda-2012-10-03-F2F-Amsterdam.html

<WileyS> Aleecia, requested "Global Considerations" be added to the agenda - what is the status of that request?

Aleecia: F2F reminders.... see agenda. See specifically day 2 plans to go through all 24 open issues against compliance doc

<johnsimpson> you're breaking up aleecia

<rigo> WileyS, we can send a signal back that says: I only pretend to be DNT compliant by sending DNT signals, but I have my fingers crossed behind my back

<JoeHallCDT> +1

<johnsimpson> must be my equipment

<ninjamarnau> * npdoty, still unable to join. I do not even reach the w3c telco system anymore.

Aleecia: strongly suggest that participants read the drafts, what it takes to get to last call and open items

<WileyS> Rigo, LOL - that of course makes no sense but neither does sending back a technical somehow suggest you're also compliant with a separate policy document.

<WileyS> Rigo, ...a technical 'signal' somehow...

<rigo> WileyS, I don't want to do P3P with DNT-tokens

<johnsimpson> will call back in

<WileyS> Rigo, that's fine since you don't really implement something in the real-world. those of us that do want it

NDoty: Our hosts have arranged for dinner and canal boat tour on Wednesday (tentative)

<dwainberg> "I'm on a boat..."

<JoeHallCDT> and if you can muster a group for Rijstaffel, that's awesome https://en.wikipedia.org/wiki/Rijsttafel

<WileyS> dsinger, as long as I'm the decider of who is contributing to progress :-)

<WileyS> tlr - LOL

Next topic: Editor's working drafts

Aleecia: some comments on the compliance draft.

<BerinSzoka> The most important thing to know about Amsterdam is: go see http://www.rijksmuseum.nl

Jweiss: DWainberg gave significant comments. Justin still going through comments. Lack of consensus on certain points

<WileyS> Aleecia, are you going to discuss requests for modification to the agenda?

,,,,, discussions re: permitted uses. Add to draft?

Aleecia: Don't worry about up to the minute changes, but try to get the bulk of the comments as they currently stand

Schunter: two open issues

<fielding> TPE has no pending edits at the moment

Schunter: Service priovider flag -- diverging opinions
... call for objections to iron out remaining differences

<dsinger> I need to align the qualifiers with the compliance permissions, at least

Aleecia: we will submit the working drafts to w3c by this friday

<Chris_IAB> just joined via Skype

<Chris_IAB> sorry for the late join

<fielding> I think we have a note on that already

<aleecia> Then I think we're ok

Johnsimpson: confirming - public working draft ready for submission on friday (with a few clarifications)
... what about further comments?

<fielding> Tues

Aleecia: no more substantive comments before the document is out

<fielding> (usually)

<Zakim> WileyS, you wanted to comment on the f2f agenda

<tlr> Tues and Thurs, correct

<npdoty> further comments would certainly be welcome, just wouldn't be reflected in this particular snapshot publication

ShaneW: Question on the Agenda re: Global considerations

<aleecia> +1 Nick

ShaneW: will this receive some time on the agenda?

Aleecia: some time for small group discussions, tbd.

<rigo> WileyS: global considerations document: we committed to provide people and want to have some time on the agenda for it

Aleecia: we like the idea, trying to find the time in the agenda
... Friday is best bet - although that may not work for all

<npdoty> discussion of a document on the boat? :)

<fielding> host a dinner ;-)

<rigo> +1

<npdoty> +1 on Global Considerations Dinner :)

<Joanne> +1 on dinner

Aleecia: happy to pull together a global considerations dinner

ShaneW: sooner the better re: schedules

<aleecia> sorry rigo!

<WileyS> Better for a lunch time meeting if at all possible

<ninjamarnau> who will be present from the edps?

Rigo: The Commission will be in the room on Wed and Thurs -- crucial for the global consideration discussion

<rigo> Ninja, I tried to get Rosa and Achim

Rigo: perhaps a lunch is better.

<WileyS> Thank you Rigo

Rigo to check with folks with the Commission re: scheduling

<WileyS> Rigo - lunch is better than dinner if at all possible

<Zakim> npdoty, you wanted to comment on TPE and "option" block

<WileyS> Allows for a day trip (flights in/out of Amsterdam)

<rigo> exactly

Npdoty: on the draft, we still have an issue around "user granted exceptions"

<npdoty> ACTION: rigo to follow up with EU/EC colleagues regarding possible lunch (or dinner?) to talk Global Considerations [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action02]

<trackbot> Created ACTION-259 - Follow up with EU/EC colleagues regarding possible lunch (or dinner?) to talk Global Considerations [on Rigo Wenning - due 2012-10-03].

<fielding> unclear, what is the action?

Dsinger: people are working out the details of the APIs rather than concerning themselves with structure

<rigo> +1 to dsinger

<npdoty> npdoty: remove the "option" block around the exceptions

Dsinger: wants to remove the option block around the exceptions

Schunter: send a final email to the list, and look to remove by next week

<fielding> I would be happier if at least one browser committed to deploy it.

Dpdoty: will send email

<npdoty> s/npdoty/npdoty/

Aleecia: everything discussed on from here on in potentially goes into NEXT editor's draft

<dsinger> issue-25?

<trackbot> ISSUE-25 -- Possible exemption for research purposes -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/25

issue 25, research purposes

Aleeica: can we close issue-25? OBjections?

<WileyS> Market research is highlighted as an element under Aggregate Reporting

<justin_> "aggregate reporting"

Npdoty: still have some permitted uses being discussed: Aggregate Reporting

<justin_> It's disputed, so we should probably keep it open.

Discussion on the following quick summary of where we are on issues

Npdoty: keep it open

<npdoty> "re-structuring to reflect reality" :)

<justin_> I'll put ISSUE-25 in the draft in aggregate reporting.

Aleecia: need to capture some of the history behind issue-25. Nick to capture

<npdoty> update issue 25 to refer to the current open question around aggregate reporting as a separate permitted use

<aleecia> http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0141.html

<npdoty> I understand that we do have agreement on market research itself not being a separate permitted use

<aleecia> To the extent reasonably necessary for inspection of product bugs and performance, third parties may engage in tracking. Use of graduated response is preferred.

<aleecia> Operators MAY retain data related to a communication in a third-party context to use for identifying and repairing bugs in functionality. As described in the general requirements [reference to Minimization section], services MAY collect and retain data from DNT:1 users ONLY when reasonably necessary to identify and repair errors in functionality. Services SHOULD use graduated responses where feasible.

<Brooks> 678 580 is Brooks just joining

<dsinger> Notes that this is also under the general requirements for all permissions (that data collected for a permission cannot be used for other purposes)

<npdoty> can someone point me to dwainberg's text here?

<rigo> I would introduce "strictly bound to debugging purpose"

<dwainberg> Parties may collect and use data in any way to the extent reasonably necessary for the detection and prevention of malicious or illegitimate activity.

<fielding> for security/fraud: Parties may collect and use data in any way to the extent reasonably necessary for the detection and prevention of malicious or illegitimate activity.

<Chris_IAB> debugging = product development?

<rigo> no

<rigo> debugging == debugging

<justin_> So, dwainberg, are you against retaining the language about preferring graduated response? Your answer was unclear.

<dwainberg> I'm not sure what purpose it serves.

<rigo> Chris_IAB, you can only debug a product that already exists

<Chris_IAB> with all respect rigo, just as a clarification, debugging is in fact a part of ongoing product development

<WileyS> Rigo, Chris could be suggesting "product improvement" (as development could mean something net new or something that is evolving from its current state)

<aleecia> debugging v. security confusion on my part -- not helpful! -- sorry, all

<JoeHallCDT> Chris_IAB debugging may be a subset of product development, but there's a lot more under that umbrella

Dpdoty: graduated response came from discussions in bellevue

<dsinger> we need a definition of graduated response; we use it in several places. "As you dig deeper, and know you need more data, then turn on the collection then."

<adrianba> we also discussed graduated response in the debug session

<Chris_IAB> fair enough points all; I just wonder if all of this can be effectively handled under the same condition model?

Rfielding: graduated response came from security discussion not the debugging discussion -- doesn't belong in bebugging

<rigo> WileyS: product improvement is a semantically loaden term in our area

<WileyS> debugging a 3rd party ad network - one individual reports the bug but you need to look at the data of many to confirm the source of the issue

<rigo> +1 to roy

Fielding: not sure how this deserves a seperate exception

<justin_> I do not feel very strongly, and "reasonably necessary" should effectively mean the same thing.

<Zakim> ifette, you wanted to say i have no idea what graduated responses means

<WileyS> Publisher reports an error with an ad showing on their site - requires you look at the data of many users seeing the add to see what variables may be driving the source of this issue. Not only user reported issues (althought that's a valid source as well)

<ifette> :)

<JoeHallCDT> npdoty that sounds like the UC Berkeley I School graduate student bullpen that I know and love

<aleecia> presumably someone put us on mute :-(

<aleecia> or rather, hold

Dwainberg: don't understand the purpose of the language. It hinders our goals by offering too much explanitory text. When we say "to the extent reasonably necessary for..." is enough

<aleecia> Non-normative explanation: This permitted use is intended for short-term diagnosis and repair of third-party Web functionality, commonly in real time. Long-term retention of all data is not compatible with this permitted use. This permitted use is not intended to cover broad quality assurance measurements.

<WileyS> Roy, do those examples give you enough context?

Dwainberg: big terms like graduated responses may lead to confusion and ambiguity

<justin_> Shrug. Fine.

<fielding> the short-term should be normative

<npdoty> I understand that we're talking about the debugging use, not the security/fraud use

<justin_> +1 to fielding

<aleecia> Debugging not security: so sorry to have started us down the wrong path

<WileyS> DSigner - doesn't represent the real-world. We have bugs EVERY day, not just SOME day. :-)

Dsinger: the graduated response language means that you are able to collect a bit more data because you suspect you have a specific problem that needs to be diagnosed

<fielding> My software does not have bugs every day. ;-)

<jchester2> +1 Singer

<adrianba> +1 to dsinger's description

* Chapell notes that Google is recruiting ringers for the next battle of the ad industry bands

<Chris_IAB> LOL WileyS, you mean that all of our commercial code is flawed? No way ;)

<WileyS> Roy, Your users may implement things incorrectly such that they point the finger at your software as being the source (when they're really the problem).

<dsinger> I know that bugs are eternal, but specific issues that warrant collection of specific data are not

<fielding> I'll give them a full refund on Apache

<WileyS> Chris, with over 160 platforms and products - we definitely generate bugs everyday.

<johnsimpson> did call fail

<WileyS> Roy, LOL - you get what you pay for!

Dwainberg: talking about debugging for DNT in particular

<fielding> johnsimpson, we are still on

Dwainberg: What are "Broad quality assurance measures"?

<Chris_IAB> WileyS, I'm totally with you... Bugs are reported constantly (not all are bugs in the end)

<justin_> You're allowed a 6-week (or so) grace period anyway, do we need extra retention beyond that for prophylactic debugging?

<dsinger> I think it suggests you are not collecting data either (a) to make sure you don't have a bug or (b) in case a bug turns up.

<WileyS> chris, but you need to data to determine if the report is truly a bug or not - and then diagnose the source if it is.

<Chris_IAB> justin_, I agree with your premise in general, just not the 6-weeks part

<WileyS> +1 to what Ian just said (all debugging - not just DNT)

Ifette: Dwainberg assumed that this was bugging in relation to DNT --- Ian's assumption is that this may have nothing to do with DNT

<npdoty> agree, this is about debugging in general, not just about DNT

<rigo> +1

<dsinger> agree with ifette, the BUG might be non-DNT-related (like, you're showing the wrong ads to under-3-year-olds)

<Chris_IAB> +1 to Ian's point

Ifette: the point is that one may want to collect additional information from certain users who have DNT enacted -- just to address the bug

<aleecia> so at that point, why not debug just with the non-DNT:1 users if possible?

<aleecia> if you have a very small set, that makes sense to me

<justin_> Chris_IAB, ha, not meaning to weigh in on the call-for-objections issue, just saying we should keep that grace period in mind . . .

<WileyS> DSinger, is this a common problem for Apple, showing ads to under 3 year olds?

<aleecia> that makes sense to me

<npdoty> if you're worried specifically about retaining too much data for DNT users and trying to debug that, I'm not sure we need a permitted use to retain more data on those users

<dsinger> WileyS, rumors of pending regulations in Elbonia around neonatal advertising etc. :-)

<aleecia> and: agree this is not *limited* to debugging DNT:1 users

<JoeHallCDT> and it's not just about debugging DNT, it's about needing to collect data that DNT would otherwise prevent

<JoeHallCDT> +1

Ifette: If you get a signal that some of your users are experiencing an issue, and you know you need additional data to debug, this tries to create some flexibilty for that scenario

<WileyS> dsinger, but that's the best time to program them though!

<Chris_IAB> Potential response to DNT user: we see your bug, but we can't fix it because you are not allowing us enough information to fix it... sound good? I'm not sure...

<BrendanIAB> hah

<aleecia> short term & diagnostic

<npdoty> fielding: really think this should be short term and diagnostic

Fielding: cautions against others from trying to have this exception apply to data collection in the long term and/or a broad based exception for data collection

<npdoty> I'm hearing fielding's suggestion that we add something related to "short term" or "diagnostics" into the normative text, not just explanatory text

<ksmith> Chris_IAB - problem with that is - often the bug is not visible to the end user.

<aleecia> And I"m hearing questions about what graduated response means

<aleecia> With suggestions from David Singer there

Rigo: short retention on debugging data is key

<Chris_IAB> ksmith, I agree. I think we should allow data collection and retention for the purpose of debugging and ongoing product development/improvement. Full stop.

<npdoty> ... debugging a precise, understood term

<BrendanIAB> Non-normative text of "try not to use DNT:1 data" doesn't seem necessary if it's clearly "for debugging"

<WileyS> Remove "graduated response"

<dwainberg> +1 WileyS

<WileyS> +q

<fielding> not graduated response (it doesn't even make sense for security)

<rigo> sure, but get short retention and debugging purpose

<dwainberg> Also remove "tracking"?

WileyS: Graduated response will be difficult to explain

<amyc> suggest that concept and text of reasonableness would be good substite for graduated response

<BrendanIAB> Isn't moving from "

Aleecia: wants Nick to use Graduated Response for now -- may take it out

<rigo> WileyS, we could replace the compliance spec by one sentence: be reasonable. But that may be subject to dispute :)

<justin_> Does anyone want to argue on behalf of graduated response? I do not if "reasonably necessary" is in there.

<WileyS> Rigo, I like that - AmyC said something similar

<npdoty> ACTION: doty to update debugging text (add normative 'short term', 'diagnostic', expand on or replace "graduated response") [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action03]

<dsinger> so, (a) specific problem (not general anxiety) (b) short-term (not indefinite) and (c) proportional/graduated response (only the data you reasonably need)? and the last is in anxiety/dispute?

<trackbot> Created ACTION-260 - Update debugging text (add normative 'short term', 'diagnostic', expand on or replace "graduated response") [on Nick Doty - due 2012-10-03].

<jchester2> +I think graduated response is more effective for users

<BrendanIAB> Isn't moving from "I am not collecting DNT:1 traffic" to "I am collecting DNT:1 traffic for debugging" a two-stage "graduated response" anyway? Calling out "graduated response" seems redundant.

<WileyS> -q

<rigo> jchester2, doubt that, "graduate response" was the name of the NATO doctrine to nuke the russians

<aleecia> Research: collection and use of identifiable data for market research or other longitudinal aggregation purposes is not generally within the context of a particular request; only unlinkable data may be retained for this purpose. As described above, identifiable data can be stored during short term logging to generate aggregate reports.

<aleecia> Changes from the editors' draft: Remove "Aggregate Reporting" section. Ensure that unlinkable data is prominently declared out of scope of these requirements earlier in the document. Ensure that the "Short Term" permitted use makes it clear that retaining identifiable data for the short term is allowed for creating aggregate reports.

<jchester2> What do we mean short term for ID retention? Is that linked to a specific campaign?

<WileyS> Rigo, I believe its the definition of "unlinkablity" that is the bigger confusion

<jchester2> +Rigo

Rigo: complexity, not consensus, explains lack of response

<npdoty> jchester2, I mean "short term" to refer to the separate short term logging permitted use (which might be 6 weeks, or whatever the group comes down on)

Rigo: what is the minimum requirement on the aggregate information?
... Aggregate is fine, but please make sure that you can't re-identify in order to avoid discrimination

<jchester2> Nick, I think that's do vague for this key area. It needs a discussion to understand the contours and impact of such use.

<justin_> I think that the text is clear that you cannot maintain non-deidenfitied data for the purpose of research/improvement.

<npdoty> jchester2, can you explain more?

<WileyS> Justin, agreed - you'd maintain the data only to develop the aggregate outcome to then do market research and product development

<npdoty> I think rigo's point is that defining unlinkable is the difficult part

<fielding> justin_, non-deidentified? ouch

Dwainberg: Doesn't understabnd "not generallyin the context of a particular request"

<jchester2> Market research has changed in terms of capabilities and use, inc. in the real time targeting context. So I hope our market research colleagues and others can discuss how it's used today and the implications for DNT:1

<justin_> fielding, You know what I mean!

<JoeHallCDT> fiedling, using double negatives like that is an art

<rigo> WileyS, we have to come up with a plausible process of transforming personal data to unlinkable data, not define unlinkable data

npdoty: Not proposing this as text for the document.

<rigo> so we just define that process, not the quality itself

<rigo> because "unlinkable is a moving target"

<WileyS> Rigo, I believe those are one in the same

<npdoty> apologies for the formatting, which was apparently very confusing :)

<justin_> rigo, there is a separate outstanding question of what consistutes unlinkabling

<dwainberg> yes

<jchester2> Yes, I think!

<npdoty> npdoty: intended "generally within the context" to explain the reasoning for this permitted use, not as new text

<johnsimpson> say again what we have agreement on..

<Chris_IAB> I like unsinkable Ed :)

Aleecia: action item: editors make changes for NEXT editors draft

<justin_> Sure

<jchester2> we might have more consensus if it was just unsinkable!

<johnsimpson> thanks got it

<npdoty> agreement to remove this as a separate permitted use and move the discussion to the unlinkable definition

<aleecia> * Legal Compliance: as previously agreed, legal requirements overrule prohibitions of this standard, though contractual obligations do not.

<aleecia> Adherence to laws, legal and judicial process, and regulations take precedence over this standard when applicable, but contractual obligations do not.

<aleecia> Changes from the editors' draft: Replace "Compliance With Local Laws and Public Purposes" section with previously agreed upon text (5/23/2012).

<jchester2> Oh you folks in academia! Always making obscure references

<npdoty> ACTION: brookman to update draft to remove aggregate permitted use, highlight unlinkable section where discussion may continue [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action04]

<trackbot> Created ACTION-261 - Update draft to remove aggregate permitted use, highlight unlinkable section where discussion may continue [on Justin Brookman - due 2012-10-03].

<rigo> is there a link for that text?

<Chris_IAB> depending on jurisdiction, common legality could be tied to contract legality

<jchester2> Shane. Yes, we are all getting sinking feeling. Hopefully cured before F2F!

Aleecia: this ties into what Nick and I are discussing re: Permitted Uses

<fielding> Nick's text: Adherence to laws, legal and judicial process, and regulations take precedence over this standard when applicable, but contractual obligations do not.

<npdoty> s/Aleecia: this/Aleecia, this/

<npdoty> npdoty: just proposing the text that we agreed on in May, which may have gotten confused as editors combined new text

<WileyS> EU Data Retention Directive

Amyc: Discussions in Bellevue. Existing contractual obligations vs new terms....

<npdoty> was there broad consensus in the room around that? grandfathering existing contracts?

Amyc: granfathering concept for existing contracts are not embodied in current text

<Chris_IAB> Devils advocate on a potential 3rd-rail topic: What/who decides what is a "law" then? Which states are recognized by the W3C?

Amcy: to add additional language to address

<vinay> Amy - I can help you with it

<rigo> Chris_IAB, all!

<amyc> thanks

<npdoty> ACTION: colando to draft text regarding existing contracts (with vinay) [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action05]

<trackbot> Created ACTION-262 - Draft text regarding existing contracts (with vinay) [on Amy Colando - due 2012-10-03].

<dsinger> thinks we should not say that doing something contrary to the spec. in order to comply with local law is *compliant* but may be *needed*, and maybe we need a qualifier to indicate (as previously discussed)

<Chris_IAB> Rigo, for example, does tribal law in the US, where the tribe is legally a sovereign state able to make it's own laws, work for you?

Dsinger: "it may be necessary for you not to comply with this specification in order to comply with local law"

<rigo> Chris_IAB, sure!

<Chris_IAB> Rigo, if so, then all ad networks may move to American Indian reservations, and help them enact new laws...

<npdoty> dsinger, I think that point was raised in earlier discussion, and we came to agreement on this text

<amyc> think there is a eparate section and issue regarding spec compliance

<rigo> Chris_IAB, they didn't move yet to the Caiman Islands or to the turkish part of Cyprus?

<Chris_IAB> local law = city government laws and regulations too?

Dwainberg: This ties into the concept of enabling parties to communicate that their honoring of DNT may be different from that outlined in the spec
... agrees with the concept about not creating contractual loopholes

<tlr> "applicable law"

<npdoty> if you agree with the concept and we came to consensus on this several months ago....

Aleecia: suggests that DWainberg work with Npdoty

<rigo> tlr, "applicable" may be the main headache

<tlr> we can't solve what's applicable. So we just say "comply with applicable law, please"

<fielding> I am struggling to understand why we need this clause -- no other specification I've worked on needs to point out that local laws might apply

<Chris_IAB> rigo, they haven't moved... yet.

What might be bother Dwainberg is the example that I've outlined in IRC

<amyc> david, welcome your participation in my ACTION:-)

<aleecia> * Identifiers: flexibility is provided to implementers on how they accomplish permitted uses and minimize data retention and use. Implementers are advised to avoid data collection for DNT:1 users where feasible to enable external confidence.

<aleecia> Placing third-party cookies with unique identifiers (and other techniques for linking data to a user, user agent or device) are permitted where reasonably necessary for a permitted use. Requirements on minimization and secondary use, however, provide limitations on when any collection technique is compatible with a Do Not Track preference and what the implications of that collection are.

<aleecia> To give flexibility to implementers in accomplishing the requirements of this specification and the listed permitted uses, no particular data collection techniques are prescribed or prohibited.

re: the pharma company self-reg requirements that may fall outside of what 'the law' says, but must be complied with nonetheless

<aleecia> Implementers are advised that collection of user data under a Do Not Track preference (including using unique tracking cookies or browser fingerprinting) may reduce external auditability, monitoring and user confidence and that retention of such data may imply liability in certain jurisdictions in cases of secondary use; for more information, see the Global Considerations.

<dwainberg> Alan, what was that example? I missed it?

<dwainberg> amy, yes, I'll be happy to

<Chris_IAB> Rigo- Interesting that a state wishing to induce commerce, might create laws that are favorable to industry, in an effort to circumvent DNT... given this provision.

<aleecia> so by "identifiers" we mean "unique identifiers"

<Chris_IAB> Rigo, do laws include case law in addition to stated law?

<WileyS> Great work Nick on threading the unique ID needle

<fielding> No idea where it goes in spec.

<rigo> Chris_IAB sure

<WileyS> +1

<johnsimpson> -1

Aleeica: Straw poll. +1 if you can live with this text

<fielding> +1

<jchester2> -1

<rigo> +1

<justin_> +1

<dwainberg> +1

<Chris_IAB> Rigo, it may be more wise to stay away from the "law" provision in general, and stay silent...

<Chris_IAB> +1

<npdoty> fielding, we currently have this section on identifiers: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#no-persistent-identifiers

<Brooks> +1

<jeffwilson> +1

<hwest> +1

<dsriedel> +1

<BerinSzoka> +1

<vinay> +1 (though same company -- Adobe -- as Roy)

<Simon> +1

<rigo> Chris_IAB, nope, this is a rule of conflict. And we clearly say that law overrules. This is essential for later regionalization

<npdoty> johnsimpson or jchester2, is it possible to elaborate on those concerns? (via email or a separate call is fine)

<Chris_IAB> Rigo, respectfully, I think that weakens the spec, but it's your call I suppose

<aleecia> * Minimization

<aleecia> A third party MUST ONLY retain information for a permitted use for as long as is reasonably necessary for that use. Third parties MUST make reasonable data minimization efforts to ensure that only the data necessary for the permitted use is retained. A third party MUST provide public transparency of their data retention period; third parties may enumerate each individually if they vary across Permitted Uses. Once the period of time for which a party has declare

<aleecia> data retention for a given use, the data must not be used for that permitted use. After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable.

<aleecia> Where feasible, a third party SHOULD NOT collect linkable data when that data is not reasonably necessary for one of the permitted uses. In particular, data not necessary for a communication (for example, cookie data, URI parameters, unique identifiers inserted by a network intermediary) MUST NOT be retained unless reasonably necessary for a particular permitted use.

<aleecia> Changes from the editors' draft: Add collection limitation requirements.

<aleecia> Note: it may be that this is the only time a requirement/prohibition is necessary regarding "collection". All other requirements would be prohibitions on retention (beyond what is necessary, or beyond a short-term logging period) or sharing. A definition of collection, then, is only needed for this minimization concept. "Tracking" can be defined through "retention", "use" and "share" only.

<WileyS> johnsimpson or jchester2, could you please provide the details of your concerns on the public email list?

<rigo> W3C is no ruling authority, just a platform that creates useful things

<npdoty> text before "Changes from the editors' draft" is the normative text, text after that heading describes the changes

<npdoty> the paragraphs with MUST ONLY, MUST and SHOULD NOT would be the normative text

<aleecia> * Secondary Use

<aleecia> A third party MUST NOT use data retained for a particular permitted use for any other purpose.

<aleecia> Changes from the editors' draft:

<aleecia> Clarify that data retained for one purpose cannot be re-purposed (even if the second purpose might be related to another permitted use).

<aleecia> Note: This does not require keeping separate copies of data for different permitted uses (agreement in Seattle that a single copy is allowable), but does require that data retained for one stated purpose cannot be repurposed, even in aggregate form. (See resolution at the end of: http://www.w3.org/2012/06/21-dnt-minutes#item08)

Aleecia: IFette had text from Seattle that was helpful

<johnsimpson> Where is Nick's text now? Just on email list?

<npdoty> if someone has a pointer to Ian's text that would be useful, please point me to it

Fielding: has concerns with last sentence

<fielding> this one: In particular, data not necessary for a communication (for example, cookie data, URI parameters, unique identifiers inserted by a network intermediary) MUST NOT be retained unless reasonably necessary for a particular permitted use.

<rigo> Ninja, After there are no remaining Permitted Uses for given data, the data must be deleted or rendered unlinkable.

<dsinger> maybe it should say "In particular, data not necessary for a communication (such data might be cookie data, URI parameters…" to respond to Roy?

<rigo> .. should be only kept for that particular permitted use, shift in use shouldn't be possible

<rigo> ... or shift in purpose

<fielding> the sentences before that are sufficient (and more accurate)

<dwainberg> It's redundant, isn't it?

<WileyS> +q

<dwainberg> and adds potential for confusion

<rigo> I don't think it is redundant

<dwainberg> "MUST only retain ... " says enough doesn't it?

<WileyS> Oh well, I tried. :-)

<npdoty> I'll take an action to try to address that, thanks WileyS for the promising suggestion

<rigo> move (examples) at the end of sentence

<rigo> ninja wants to contribute text to minimization? Action?

<npdoty> ACTION: ninja to provide updated text regarding minimization (with nick) [recorded in http://www.w3.org/2012/09/26-dnt-minutes.html#action06]

<trackbot> Created ACTION-263 - Provide updated text regarding minimization (with nick) [on Ninja Marnau - due 2012-10-03].

<mikeo> q

<npdoty> we will have a call-in bridge and ability to see screens remotely

<npdoty> adjourned.

- DRAFT -

SV_MEETING_TITLE

26 Sep 2012

Attendees

Contents

f2f

issue 25, research purposes

Discussion on the following quick summary of where we are on issues

Summary of Action Items

Scribe.perl diagnostic output