W3C

- DRAFT -

Catch up on DNT

31 Oct 2012

See also: IRC log

Attendees

Present
Regrets
Chair
npdoty
Scribe
dsinger

Contents

invite trackbot

<scribe> scribenick: dsinger

Summary of DNT

<inserted> npdoty: introduces the tracking preference expression and compliance documents

<inserted> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html

<inserted> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html

<inserted> npdoty: we have a large group (up to 100) with quite a few invited experts (consumer advocates, reps of reg. agencies, advertising side, and so on)

<inserted> ...group is at http://www.w3.org/2011/tracking-protection/

<inserted> ...the TPE document describes the 'immediate' on-wire protocol. The protocol is quite simple and short: DNT 0|1

<inserted> ...also JS APIs, and a response framework

<inserted> ...and then on compliance and scope, describes the server behavior in response to the preference

<inserted> ...sets limits on collection/retention/use of data

<inserted> ...compliance is under active debate

<inserted> ...that's the summary, members are in the room

rigo: DNT started off in the US market, and there is an atlantic divide

…mozilla did a quick implementation, and then came the challenge to globalize

…for Rigo, DNT is a communication mechanism, signalling a preference and getting a confirmation from the server side

…in Europe, we have ePrivacy, article 5(3) (?), and in that debate, our constituency was ineffective, and they switched to pure opt-in

…nobody told them that pure opt-in was very hard to reach

<npdoty> Article 5(3), I believe

…and now we have the first impl., cookie banners in the UK

…not the baddest idea, because we get tech. without banners and we have a route to getting consent

cargill: so this was a european issue?

rigo: sort-of: the US needs to define what dnt:1 means, and the europeans dnt:0
... we have several hard issues, and gazillions of issues in general

Yoav: regarding the DNT status, and IE and Apache, et al., what's happening?

rigo: this is outside the WG, we have rockets inside, but this is a set of rockets flying outside.
... what IE does is much less dramatic than you might think from the press; we've seen the Apache patch, and the Yahoo! blog. this is necessary noise

…hopes for reconsideration once we get to a 'final statement'; and some of this is based on fears

…fears of blanket dnt:1 and wide damage to industry

…but people do check preferences, cookies, and so on (40% of UK users regularly delete cookies, for example)

dsinger: explains the default

adrianba: wants to draw more attention to another aspect of the work

…despite how the user gets to setting dnt:1, at some point the browser is sending dnt:1 to all sites

…but there are some the user has a relationship with, and trusts more (and note it's 3rd parties that we are worried about)

…if I have a trust relationship with some of those; there is a mechanism under way for APIs for sites to request that they don't get dnt:1; maybe I am OK with being tracked in exchange for getting something, e.g. free access; this API allows sites to do that

….this is part of an approach to fairness; if we start with dnt:1 or no header, sites should be able to ask for exceptions

…and as we have heard, cookies get lost; so cookies are too fragile, and the preference store for this API is as persistent as the signal

…fwagner: adding to the explanations; from a euro perspective, we want the user to be asked, and then it's really user's consent

rigo: in europe, there is no legal distinction between 1st and 3rd party; I personally think the distinction is a bad idea, but the consent of the WG is that we have this distinction

yoav: what is considered 'tracking users'? if 1st parties are included, and someone is logged in, can I react to their stated preference?

rigo: this is more a legal technique question than a technical one; we don't actually define 'tracking', we tell you what not to do if you are not tracking

…it's a negative definition

…so, we also use a german-like system: general prohibition with explicit permissions; reverse in the US, which is that things not prohibited are permitted

…so you get a recipe, not a simple definition

adrianba: wants to disagree with Rigo that distinguishing 1st and 3rd is a bad idea; separate legal frameworks and their geographies from the work on DNT

…the priority of DNT is the hidden data collection going on that people are not aware of

…people visit the NY Times and think it's all NY TImes that they interact with; in fact, other parties are there and watching and collecting and correlating

…so I think it's important that the 1st party (the party the user chose to visit and share with) is different from 3rd (parties they are mostly unaware of)

…we don't expect to solve all data collection issues, esp. for Europe

carl: how are you going to solve this issue?

…I thought it was the world-wide web

npdoty: part of motivation was to have a world-wide standard (rather than regional practices or regulations), makes life much easier for engineers et al.

…not OTOH we can help with some of these legal/regulatory issues that come up; general solutions that may apply specifically in some geographies

carl: worried about the apparent stasis in the committee right now

npdoty: we have extended the charter, but we have made rapid progress, and we are still trying to make a last-call this year

rigo: it's not the goal to 'smuggle EU values into the US', but it is a goal to have a tool that is usable in both regimes

…one measure of success is how many DPAs endorse this…but they are saying January for review...

danappelquist: any comment on 'the' famous letter from a US politician [[room: which one?]]

npdoty: we find it kinda novel that we get letters from congress et al. to a public w3c mailing list.

rigo: the other side of the atlantic got anxious and felt they needed to write also

npdoty: we've used invited experts to get data-protection authorities on both side of the pond

carl: did you invite the commission to join?

rigo: commission doesn't join
... it's great we have FTC and Article 29 working party, at the table. this time they are part of the process

shh (Steve Holbrook - IBM): are there bugzilla bugs that result from these letters?

npdoty: I don't think the letters are irate, or that specific. we get suggestions (e.g. on alternative approaches to default settings)

paulcotton: (canadian) so, input from US and Europe; this is the W3C, what about other governments? Canada is very active in this area

rigo: we have several active canadians, we think NGO rather than officials; we have a special relnship with xxxx (privacy by design), and others. perhaps Canada is positioning in the middle (as a nice business position)

npdoty: have japanese and chinese companies, and had some side conversation with japanese ministry groups; we used a CG for some NGOs, who couldn't commit the time or travel to the WG.

dsinger: anxiety about small amount of input from asia (and maybe middle east)

runnegar: introduces self (internet soc. privacy interest group). interested you are keen to get input from legal/policy people, and is happy to help facilitate getting input from that. you'll need to translate it to get that input, and can help

npdoty: wrap-up!

<adrianba> |

<adrianba> |

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2012/10/31 15:58:13 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/53/5(3)/
Succeeded: s/??/Yoav/
Succeeded: s/??/shh (Steve Holbrook - IBM)/
Succeeded: s/npsoty/npdoty/
Succeeded: i/rigo: DNT/npdoty: introduces the tracking preference expression and compliance documents
Succeeded: i/rigo: DNT/http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
Succeeded: i/rigo: DNT/http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
Succeeded: i/rigo: DNT/npdoty: we have a large group (up to 100) with quite a few invited experts (consumer advocates, reps of reg. agencies, advertising side, and so on)
Succeeded: i|rigo: DNT|�group is at http://www.w3.org/2011/tracking-protection/
Succeeded: i/rigo: DNT/�the TPE document describes the 'immediate' on-wire protocol.  The protocol is quite simple and short: DNT 0|1
Succeeded: i/rigo: DNT/�also JS APIs, and a response framework
Succeeded: i/rigo: DNT/�and then on compliance and scope, describes the server behavior in response to the preference
Succeeded: i|rigo: DNT|�sets limits on collection/retention/use of data
Succeeded: i/rigo: DNT/�compliance is under active debate
Succeeded: i/rigo: DNT/�that's the summary, members are in the room
Succeeded: s/�/.../g
Succeeded: i/chair:/Topic: Summary of DNT
Found ScribeNick: dsinger
Inferring Scribes: dsinger

WARNING: No "Present: ... " found!
Possibly Present: DKA DKA_ KenjiBX adrianba cargill carl danappelquist dntb dsinger fluffy fluffy_ hober inserted jalvinen joined kboudaoud krp nkic npdoty paulc paulcotton rigo runnegar scribenick shh tanvi wei___ wseltzer yoav
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Got date from IRC log name: 31 Oct 2012
Guessing minutes URL: http://www.w3.org/2012/10/31-dntb-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.
[End of scribe.perl diagnostic output]