W3C Workshop: Do Not Track and Beyond

27 Nov 2012

See also: IRC log


js, npdoty
wseltzer, JoeHallCDT


<wseltzer> scribenick: wseltzer

User Studies and User Concerns

[agenda: http://www.w3.org/2012/dnt-ws/agenda.html]

Chris_Hoofnagle: paper, http://www.w3.org/2012/dnt-ws/position-papers/8.pdf
... background and earlier work; Web privacy census, benchmark how much tracking is on the Internet
... idea from Beth Givens, benchmark how much tracking is occurring to evaluate self-regulation
... since we began 5 months ago, already seen a big uptake in 3d party tracking.
... switch from LSOs to HTML5 local storage.

[Berkeley Web Privacy Census: http://www.law.berkeley.edu/privacycensus.htm ]

scribe: idea, as we move forward with self-reg or DNT, get a sense of impact
... Other branch of work, user studies, asking consumers about privacy issues.

[Consumer privacy survey: http://www.law.berkeley.edu/13260.htm ]

<npdoty> consumers having a sense that companies have a fiduciary role with respect to their data

scribe: young adults care about privacy, do the worst in understanding it.

<npdoty> youngest users do the worst on privacy quizzes, interesting

scribe: OBA could be done differently, with more room for compromise between advertising and privacy

<JoeHallCDT> goldman, nissenbaum and bellovin have proposed client-side privacy preserving profiling

<JoeHallCDT> (would love cites to Goldman and Bellovin)

scribe: Fully half of users say they never click ads.

JoeHallCDT, the cites are in Chris's paper

<JoeHallCDT> ah


Chris_Hoofnagle: majority of users surveyed had not heard of Do Not Track

<JoeHallCDT> bellovin: Elli Androulaki and Steven M. Bellovin, A secure and privacy-preserving targeted ad-system, in Proceedings of the 1st Workshop on Real-Life Cryptographic Protocols and Standardization, Jan. 2010.

<JoeHallCDT> goldman: Eric Goldman, A Coasean Analysis of Marketing, 2006 WIS. L. REV. 1151 (2006).

<npdoty> Androulaki and Bellovin paper is from 2010, http://dl.acm.org/citation.cfm?id=1894875

Chris_Hoofnagle: when asked what they'd want it to do, most said "prevent websites from collecting information about you."
... Changes in self-reg positions, rules have become weaker over time.

<npdoty> 13% of the national population having heard of DNT seems like a large number

Chris_Hoofnagle: NAI won't talk about their old rules. We don't think NAI is credible.
... policy statements without purpose, no measurable standards, NAI is a project of a consulting group.

DavidWainberg: NAI is independently incorporated

Chris_Hoofnagle: There are alternatives. Find self-regulation with more credibility.

<JoeHallCDT> I've spoken with Anthony Prestia of NAI and they certainly do measurement against their guidelines

DavidWainberg: Ads work, companies continue to invest in advertising. Both brand and click-through.

Bernard_Urban: run a privacy company, formerly with SiriusXM.
... I'd spend $1/4M on an initiative, I wouldn't spend that if they couldn't prove conversion.
... 500k people have joined our current service to figure out how to protect themselves online.

Chris_Mejia: IAB and DAA. We have an enforcement body, Council of Better Business Bureaus
... where is your [Chris's] research coming from? I haven't gotten inquiries.

Chris_Hoofnagle: We discussed gulf in protection between 2000 NAI statement and more recent DAA

Max: Curious about your age results. Experian's studies show younger you are, the less you care about privacy.

Chris_Hoofnagle: We've asked both attitudinally and willingness to share information.

DavidWainberg: You're not aware of NAI's dedicated compliance staff, do yearly reviews, worked with companies privately to improve their practices, publicly called out companies for non-compliance
... Strongest compliance program of any in its space. Encourage you to talk with us.

Chris_Hoofnagle: World Privacy Forum 2007 study critiqued NAI
... we updated that study on norms of self-reg

Frank_Dawson: Nokia-Siemens interested in trust perspective

<JoeHallCDT> I believe this is the WPF report on NAI that Chris mentions (I haven't read it): http://www.worldprivacyforum.org/pdf/WPF_NAI_report_Nov2_2007fs.pdf

Frank_Dawson: studied emerging markets. NSN survey echoed Chris's remarks
... 3 segments, "frightened family," no understanding, rational approach in the middle

<npdoty> echoed in the sense that not a big difference in views for younger users, right?

<JoeHallCDT> believe so

Frank_Dawson: across all age groups, a proportionally high attitudinal concern re collection of personal data.
... approx 3/4

Blase_Ur: here with Pedro Leon, CMU
... User studies re behavioral advertising

[CMU paper: http://www.w3.org/2012/dnt-ws/position-papers/6.pdf ]

Blase_Ur: Smart, Useful, Scary, Creepy: Perceptions of Behavioral Advertising

<npdoty> dsinger, I think Chris had referred to work from Joe Turow on trade-off studies, though I'm not familiar with them

Blase_Ur: 48 non-technical users interviewed in the lab

<JoeHallCDT> dsinger: in fact, it's weirder than that... Acquisti's recent work on "privacy paradoxes" shows that very subtle and specific ordering issues in the substance of a trade-off can make big differences

<npdoty> JoeHallCDT, dsinger so there might be differences between attitudinal and behavioral and even other dimensions (fear of loss, etc.)

<JoeHallCDT> speaking for CDT, we'd love to get some of these opposing interests into a room and hammer out a research design that everyone could agree would be relatively unassailable, then fund a good third-party to do it

Blase_Ur: Low awareness of tracking. Users don't know how it works, who's involved.
... lots of misunderstanding of ad companies, business. e.g. thinking that Microsoft advertising = operating system software, not ads

<npdoty> example phrase from interviewing users: "I never really thought of Google as an advertising company"

Blase_Ur: no familiarity with opt-outs or DNT (a year ago)
... expected options in Web browser and anti-virus

<npdoty> JoeHallCDT, I'm also interested in seeing what we would need in a research design in order for it to satisfy everyone's questions

<jeff> +1 Joe

<npdoty> concern about surreptitiousness (when they've just found out about it)

<npdoty> "lack of knowledge led them to think the worst" (making assumptions about identity theft as a risk, for example)

Pedro_Leon: tested 9 tools for OBA control
... opt-out such as DAA, blocking tools (Ghostery, Adblock plus), browser settings in IE, Firefox
... 45 participants using the tools
... generally, interfaces not very good, leading users to get results different from what they expected
... e.g. proplematic opt-out aboutads.info showed only those companies currently showing personalized ads
... jargon-heavy pages confuse users, lead to misconfiguration

<rvaneijk> * hs seen the problem that the DAA opt-out values may change over time, which makes the opt-outs less persistent as users may think they are

Pedro_Leon: common usability problems incude blocking-tool defaults that block nothing; jargony interfaces;

<npdoty> the jargon/usability issues might be good input for the technology sessions

Pedro_Leon: lack of feedback, especially with browser settings and opt-out tools, where users expected to see something happen

<rvaneijk> * in addition to that observation, also the opt-out variable names are not consistent over time which contributes to less persistency

Pedro_Leon: misconceptions, blocking tools break functionality
... recommendations: understand what users care about, how they make decisions. Conduct iterative studies to understand mental models, skills and abilities of users.
... work in progress. http://cups.cs.cmu.edu/

Jeff_Jaffe: are we at a point where there are best practices vendors can adopt, or is it too early?

Pedro_Leon: Some best practices can already be adopted. We should also iterate in testing.

<JoeHallCDT> rvaneijk, what does the opt-out variable names have to do with it?

Blase_Ur: design practices can help; build on what's already familiar to users

Max_Kilger: Experian, paper: http://www.w3.org/2012/dnt-ws/position-papers/28.pdf

<rvaneijk> @Joe, everything, because the opt-out will not be effective on the server if it is not matching.

<JoeHallCDT> ah, but don't the servers set those values... so that their server-side code would naturally match... let's talk offline.

Chris_Mejia: Be clearer on terminology

Blase_Ur: We didn't use "track" in our studies, but asked about data collection
... or we asked users, what did you opt out of? most common response, "data collection"

Max_Kilger: how does privacy actually work, for people
... Experian Simmons, consumer research organization, national probability sample of 25K + respondents
... privacy-protected
... privacy is complex and multi-dimensional; many perspectives.

[cites: Margulis 1977, Rosen 2000, Lie et al 2010, Norberg et al 2007, Smith et al 2011 lit review]

scribe: help companies manage privacy relations with their customers
... US adults from 2012 study.
... data: "I feel I understand the risks of providing personal info online" ~60% agree
... "I use the internet less than before because of privacy concerns" ~25%
... "I'm willing to provide some personal information to a company in order to get something that I want" ~45%

<npd> the interesting quadrant are those who are proactive about privacy but also varyingly willing to trade information for a service

scribe: segments describing people's privacy attitudes
... on-off is too primitive to describe attitudes
... instead of giving on/off switch, suggest a series of questions to develop a strategy, tolerance

Rigo: I heard users expressing fear of decontextualization of data.

@@: Privacy Choice, gives people a choice to block all tracking, or block tracking by companies who haven't gotten compliance review.

scribe: JimBrock were comfortable releasing data to those who'd gotten compliance review.

<nweaver> On fine-grained controls: I look at the difference between Android (fine grained) and iOS (very simple) access controls and conclude that fine grained controls actually make things worse, as in practice, user's can't make meaningful decisions

<nweaver> 30% IIRC

<nweaver> was the percentage

DavidWainberg: Antitrust implications to refusals to deal with non-members

nweaver: Fine-grained controls are a failure because users don't understand what it means to grant or deny permissions.

Max_Kilger: Let's ask questions and use statistical models to understand the concerns.

<npdoty> idea is ask some simple questions and then help them decide the right settings based on that and some expertise/statistics

Berin_Szoka: start with a few questions

<JoeHallCDT> I refuse to answer Berin's "show of hands" questions

<JoeHallCDT> I do not want Berin to track me

[many Californians vote to bind themselves collectively to things they don't do individually]

<npdoty> important that we have people asking different types of questions

Berin_Szoka: surveys are a poor way of answering fundamental questions
... answer in the marketplace is better than that given by surveys
... paradox of "choice architecture" is that tools are not neutral
... any time you're creating choices for users, you're influencing the choice

<npdoty> I think the DNT architecture also works well for the type of solution Jim Brock had suggested (or for that matter the CMU guys pointed out in their paper)

<npdoty> ... you could configure your browser to send DNT signals based on some system or list, if that's what you want

<JoeHallCDT> npdoty, expand (offline if necessary)

Berin_Szoka: Opt-in dystopias, Lundblad & Masiello

<JoeHallCDT> ah


scribe: How would you design an experiment to figure out what users really want?
... Coase, Demsetz

<npdoty> the libertarian paternalist point, we should initially allocate things efficiently -- am I getting that right?

<JoeHallCDT> npdoty, not inefficiently

[but then there are information-forcing rules, other values]

[and public goods problems]

<JoeHallCDT> I have a hard time considering any suffering in a voluntary standard

Berin_Szoka: Don't presume to know what users would actually choose

<npdoty> I'm trying to understand the point, is it that users wouldn't choose a market system that had a particular opt-out/opt-in system with outcomes they wouldn't like?

DavidWainberg: Is Blase's educational video available?

Blase_Ur: from the WSJ

<JoeHallCDT> npdoty, I think it's more about that the initial configuration of these kinds of tools will be what people use

DavidWainberg: How can we use this information to develop new and better ways to communicate with users?

<npdoty> http://cups.cs.cmu.edu/

Pedro_Leon: Our papers, http://cups.cs.cmu.edu/
... work has identified gaps and misunderstandings, so look to fill those holes.

<JoeHallCDT> npdoty, I'd encourage you to ask Berin to restate that, maybe less in terms of Law and Econ

<JoeHallCDT> and I take it "frictionless" is more than just asymmetry of information

Pedro_Leon: cognitive biases, challenges are even worse when users are poorly informed about the choices / practices

<JoeHallCDT> Berin is making a good case for regulation

Berin_Szoka: people are ignorant of the vast majority of things in life. Why should they know about privacy?

<npdoty> Pedro's point is that we would need more information if users are going to make good decisions

Blase_Ur: there are opportunities for companies to compete on privacy

<npdoty> from Blase (picking up on Berin), the expectation that someone is looking out for me

<rigo> wseltzer: CMU says lack of understanding, have done little work on feedback loops to help people understand

Shane_Wiley: Do you also look at the concept of harm? What happens to users when they feel their privacy isn't being respected?

<aleecia> Interestingly, users talk about privacy rights rather than privacy harms.

Chris_Mejia: How big are the chicken cages?

Pedro_Leon: Feedback is important to show users the status of the system, the impact of their actions
... so one important element of feedback would be an indicator of status, ad-blockers show ing the number of elements blocked

Max_Kilger: Context question, harm question

<rvaneijk> * does Zakim have a memory beyond the irc-logs?

Max_Kilger: harm is an educational experience, but doesn't seem to deter

Pedro_Leon: concerns about "being followed"

<rigo> context? what context?

<rigo> :-/

<npdoty> I thought maybe Shane's point was that we both see differences in choices/preferences and differences in potential implications/harms among the public

Pedro_Leon: multiple users of the same computer

<npdoty> I've seen that in location privacy that there are strongly different preferences that are sometimes tied to past experiences (having had a stalker, for example)

Blase_Ur: We want to support users. If users want "privacy,"
... Feedback: is it on or off; opportunity for dialog

Berin_Szoka: fear that advertising is bad; economic literature says advertising benefits consumers and new entry to markets

<npdoty> an interesting analogy from Blase, some preferences are innate, that I don't necessarily explain why I don't like chocolate

Tools for User Control

npdoty: Some of the papers presented technical measures as an alternative to Do-Not-Track signal

MikePerry: Tor Project is a 501(c)(3) non-profit
... core purpose is to provide an anonymity and censorship-resistant network
... core network and source code just celebrated 10 years
... I started working on the project with a Firefox extension, TorButton
... Tor's thinking has now shifted from a toggle to a dedicated browser
... that changes what privacy properties we can provide.
... Tor now provides its own downloadable browser bundle


MikePerry: Three technical changes could provide DNT from the browser-side
... First-party identifier unlinkability
... first-party IP address unlinkability, 1st-pty fingerprinting unlinkability
... Goal, simplify interfaces to let users contextualize relationships
... mock UI: let all your identifier storage be represented by an icon per domain, show options below,
... e.g. site permissions, data and history, tracking
... silo all the data to its first party
... Identifier unlinkability. jail/silo identifier sources to 1st pty dommain
... disable or limit features that aren't siloed
... double-key cookies, to both 1st and 3d party where it appears

[Mike's Tor Project paper: http://www.w3.org/2012/dnt-ws/position-papers/21.pdf]

MikePerry: prompt before cross-domain redirects so change of first-party is transparent
... IP address unlinkability, Tor can provide
... use SOCKS username as first-party domain to isolate streams
... modularize, so proxies can provide stream unlinkability
... recognize we can't make browsers indistinguishable across different products, but could make indistinguishable sets among a given browser's users

<Mark_Lizar> I like the report OS as windows :-)

MikePerry: fingerprinting defenses include disabling plugins, reporting a fixed set of window sizes, many more

<scribe> ... new HTML5 features need evaluation

UNKNOWN_SPEAKER: create a uniform font pack for browsers?
... what about Like buttons?
... Google's web-send.org privacy-preserving link-sharing
... W3C draft, but no longer exists in Chrome
... browser-side tracking, open source, could provide targeting without server-side tracking
... help the long-tail survive

Chris_Mejia: How would advertisers protect against fraud?

DavidWainberg: Huge benefit of Internet advertising is measurability. How can you account for that?

MeMe_Rasmussen: How are you dealing with third-party service providers?
... e.g. site optimization analytics

MikePerry: currently disabled. but dual-keyed cookies could allow them to work per-domain

Shane_Wiley: What do you do with user-agent string? Is it known that the user is using Tor?

MikePerry: The list of Tor exit nodes is public, easy to identify Tor users (and block, if you choose).
... OS/UA question is harder. We report Windows, but trying to obscure from fingerprinting is a deep rabbithole.

Shane_Wiley: So if a content provider were to decide to block Tor, would you attempt to override that?

MikePerry: We make no attempt to circumvent providers' blocks.

Rigo: I'm a regular Tor user
... On measurement, have you worked with anonymous credentials to allow proof without identification?

MikePerry: We've been thinking of proof-of-work mechanisms, Nymble
... invite help!

@@: GetCocoon is ad supported, give user tools to set privacy level

nweaver: ICSI presenting http://priv3.icsi.berkeley.edu/
... work with Mohan Dhawan, Christian Kreibich
... why should I have to rely on the trackers to stop being creepy, wnen we can build protections into the browser?
... Safari, "allow on previous interaction" makes sense as a cookie policy
... Challenge of multi-function trackers. trackers that also provide information on popularity, comments/feedback on products
... simply blocking them disrupts user experience.
... Google and Facebook are tracking; their business is collecting user data and selling ads.
... shows a "Like" button on "Genital Herpes" page. I don't want FB to know if I'm reading it.
... Priv3 tool designed to work with big 4: Google, Facebook, Twitter, LinkedIn. Goal to capture user intent.
... show the elements as un-logged-in until the user clicks.


scribe: I focus on self-help in the browser because I don't think I'll ever agree with NAI on whether it's OK to track me
... what happens if trackers decide to sell data to credit bureaus, get subpoenaed
... Story: I started to do some research on guns. Signed up for web forums
... with email address. a few weeks later, I got physical mail at work inviting me to join the NRA.

npdoty: Can browser self-help match current functionality?

MikePerry: With enough engineering effort, we can make these tools usable and functional

nweaver: we started with the Like button because we wanted to show that hard cases can be addressed with minimal disruption.
... on a click of the like button, just refresh the widget

npdoty: self-help in the browser is distinct from the cooperative approach, doesn't require agreement of the server

Craig_Spiezle: Online Trust Alliance @@

Deirdre_Mulligan: Security was once not a part of IETF consideration, now it's fully integrated. We don't say "that's policy". Do you see that happening in privacy?

nweaver: As a field, we've horribly violated the do-no-harm principle. Since tech has created a problem, it should help solve it (though we also require policy elsewhere)
... I like the Safari cookie policy, because it's tech backed by FTC enforcement

Jan: Can DNT and browser-enforcement go together?

JoeHallCDT: At CDT, we thought about a few version of "beyond"

<nweaver> is there any RESPONSE to DNT that says "yes I at least theoretically respect it?"

JoeHallCDT: e.g. mobile apps, iOS 6.1 centralizes ad tracking preference
... other platform-level tracking preference expression
... Apple, documentation for limit ad-tracking preference has a number of exceptions, hard for me to understand how the exceptions are policed.

<nweaver> To answer my own question, its OPTIONAL.

<nweaver> So I can't rely on DNT even assuming an honest server

JoeHallCDT: What happens when tracking gets even more complex? HTML5

<nweaver> Since I don't have a feedback mechanism that guarantees that the server accommodates it, thus self-help needs to be client-only even if DNT is widely but not universally accepted.

<nweaver> and clients are honest

JoeHallCDT: Consider just-in-time notifications
... Support PING's work to do cross-WG review of privacy implications


<JoeHallCDT> zakim! come back!

<johnsimpson> test

<JoeHallCDT> check 1-2

<JoeHallCDT> I'm doing it

<npdoty> scribenick: JoeHallCDT

Mechanisms for Transparency

JanS: moving to future oriented topics
... this one is about transparency

<npdoty> some potential inputs into future development

JanS: we will start with the remainder of the preso. from Pedro (CMU)
... will move on to Mark (Open Notice)
... then another Mark (IBM)

Pedro_Leon: studies about OBA privacy disclosures
... online study, N=1500
... this is about the "AdChoices" disclosures in ads
... and what they know from corresponding opt-out pages
... did they notice the disclosure and what is the message being conveyed
... started by showing a simulated version of the NYT page
... tested "why did I get this ad" and "adchoices"
... first tested to see if they noticed, then alerted them to the disclosures
... asked some questions about what the user thinks it could do
... two icons, and seven taglines
... some taglines were blank or meaningless
... results: OBA disclosures were not noticed
... purpose was misunderstood
... with "AdChoices" people thought it was to purchase ads on that site
... two taglines they made up were better at communicating OBA disclosure
... users were wary or afraid to click on these icons, regarless of icon/taglines
... 63% thought that "Stop advertising companies form collecting information about your browsing activities." was true
... recommendations [too fast to scribe]

<npdoty> http://www.cylab.cmu.edu/research/techreports/2012/tr_cylab12008.html

Shane_Wiley: does it seem that this has changed in the past year?
... where should it be today, 2 years from now, 5 years?

Pedro_Leon: don't think the icons themselves are enough for education
... maybe enough to exercise their choices
... am aware that the DAA campaign launched recently will aim to educate users
... that is a good thing to do
... whatever the tagline is, it is hard to communicate a clear message
... not surprised our two made-up taglines performed better.
... than "AdChoices"

Chris_Mejia: we have served billions of those impressions
... impressions of the educational campaign
... full-display ads
... <joke> you may have not seen it because we're targeting people that don't know what it is </joke>
... don't create a brand overnight... difficult endeavor... long arc
... easy in the early days of brand establishment for people to say, "It's not working"
... it's sort of the tortoise and the hare analogy... the brand eventually wins because it is seen over and over and over again
... and people eventually will see that
... we're just rolling out the brand campaign... at trillions of impressions for the icon
... would appreciate any help in educating users

Pedro_Leon: we want to repeat these experiments to measure effectiveness of the campaign
... following a more systematic approach with users is probably more helpful
... doing research like they do at CMU could help

Chris_Mejia: the design was very thorough
... we'll have to give this a chance to see if it sticks with users
... better to stick with this than changing the icon/tagline at this early stage

JanS: next session will be videotaped... any objections

Thomas_R: fine with video of the talk, cut off discussion

<npdoty> agree to video record this talk, but not the group discussion.

Mark_Lizar: Presenting on Open Notice
... currently notices are not open... no backise structure, written ad hoc, not localized
... what does this have to do with DNT... users need to understand what DNT means
... because notice is not standardized, this limits choices people have
... open and notice are specifically selected...
... open refers to transparency

<npdoty> lack of interoperability limits all of these efforts

Mark_Lizar: notice is common term in regulation
... consent is not possible w/o notice
... together they enable transparency and better choices
... the biggest lie on the web: "I Agree", "opt-in"... despite not having read the terms
... today I bought Nick a present
... because I'm from Canada, had to read the 1974 Prviacy Act
... and a ton of other privacy policies
... I needed to figure out if they conflict... would need to call my lawyer
... can't use these in e-commerce

<scribe> ... closed notice prevents new markets in choice

UNKNOWN_SPEAKER: open notice is collaborative approach to align social, legal and technical elements


scribe: not only is openness a privacy principle, but guides the groups creating these elements
... wants Jim from Privacy Choice to share their API
... next: want to help more projects find and talk to each other
... facilitate collaboration
... enumerate challenges

<JoeHall> [not sure what this actually is]

JanS: can we see more about a few of the projects involved in the effort?
... how can w3c support the interoperability of these kinds of groups and if w3c is a place to do that.
... initial charter of TPWG included another element, maybe this could fit there?

Mark_Lizar: shows tos-dr.info
... for "terms of service; didn't read"
... recently funded
... uses collaborative approach to simplifying TOS
... icons are arbitrary, don't know what they mean out of context

erikn: is the goal to replace TOS with schematized terms? or a synposis that is standardized?

Mark_Lizar: there's usually a checkbox... people don't tend to read them... the idea here is to put an icon beside that for informing users.
... don't want to replace the TOS, but make it more richer

npdoty: most of the icon projects are not trying to replace privacy policies, but make them more like summaries

JanS: Ashkan's preso. can inform

Frank Dawson: We checked tos;dr against Nokia's policy and found that it was largely incorrect

Ashkan: Wants to echo this stuff and summarize the work to date on this
... great opportunity for potential standardization.
... We're talking about taking notice that people don't read, and turn them into short notice
... take a practice and convert it to notice and short notice and make it undestandable by consumers
... capture > encode > display > enforce
... capture by locating policy, archiving it, and tracking changes
... encode it by determining facets, verify results
... display by providing an api, create icons, present to user
... enforce, regulate (or not) as necessary
... when privacy policies don't match short notice, regulators have been reluctant to enforce short notice as binding obligation
... in 2009, we did work at the I school at Berkeley and cataloged consumer complaints... with Travis Pinnick
... took a snapshot of privacy policies in time and encoded the policies based on these facets
... sent our analysis to companies and got good corrections back
... things change over time, lots of devils in the details... very hard for a manual process
... P3P was an early version of trying to determing what facets people care about and providing machin-readbility
... [shows big screen of similar efforts]
... in 2012, we've seen about 10 or so different organizations try to do this
... these are short lived efforts for a variety of reasons
... this is an opportunity to standardize these efforts
... bring together people with interests here and start a standardized language for these facets

JanS: looking at the timeline graph... when I started a recent job, I was worried more about enforcement
... there could be technical enforcement; practices differ so much that this is very hard

Ashkan: with p3p, we've had cases where people would circumvent these kinds of mechanisms
... we've not yet seen a regulator go after that... because these are not statements made to consumers, but their UA.

Frederik_Borgesuis: I've been skeptical, as I have no idea sometimes what the heck is in a privacy policy.
... is there a way to make categories and ask companies to write policies that address those?

Deirdre: that's what p3p did!

Ashkan: there's simply no incentive for companies to do this... when we did KnowPrivacy, it was the threat of publicity

Shane_Wiley: I was a reviewer of one of these are part of the program committee.
... agree with p3p comment, disagree that there are no incentives.
... there was some value in IE with the privacy slider
... about visualization: p3p was a great way of doing it in a slider
... your goal is trying to get closer to user understanding, right?

Ashkan: I thought p3p was attempting to do that...
... use as a configurer of a UA, could tell it to follow a set of rules based on what you want
... there was some work, in privacy bird


scribe: APPEL, a P3P preference exchange language (?) was the preference language

Rigo: p3p was 2003, not 2006... but only 2002 was a w3c Rec
... p3p remains misunderstood
... the browsers killed p3p as they never did anything useful with it
... many sites had policies but browsers didn't use it
... browsers were on their road for blocking tools... p3p is just a teethless tiger
... if you look at Rigo's paper, you'll see that out of the primelife research, researchers never came out with a compliment
... to the p3p statement vocabulary
... there is a lot of hidden information exchange... uncertainty
... there is some way to tell people what you're actually doing
... the fresh take on p3p means we throw away the data description but keep the categories

Mark_Lizar: There is a lot of room for the p3p work to evolve
... with the lack of accountability, there are issues
... in EU, new Regulation will drive a lot of this
... in the US, NSTIC is requiring govt. to have good notice
... emerging efforts will provide ...

Alex_Fowler: we're thinking a lot about mobile
... our approach to privacy policies is to "we're not going to make major investments to re-writing our PP for desktop, let's start with mobile and go back"
... the opportunity for inovation is in these new areas
... Mozilla Marketplace for HTML5 apps
... require a PP, just like many app platforms
... building in a series of icons to differentiate search results in the store
... these apps have e2e security, these are ad-supported
... we really haven't talked about mobile at all [I did!]

Ashkan: I agree... ACT is going to have a set of icons... lots of work in mobile
... Mozilla has icons, Android has permissions manifest
... Apple had location but has additional axes, photos, contacts
... every organization is rolling their own
... in first rev. they didn't have contacts... but revised that
... now they include contacts access
... without a standard, there will be tons of conflicting efforts

Mark_Lizar: it's a standard that there is an opt-in/opt-out button to get consent
... to evolve that global infrastructure is important

<nweaver> why i'm skeptical of icons in a single image: http://farm3.static.flickr.com/2209/2233856221_99cf6cdf8b.jpg

Berin_Szoka: I'm one of the bigger naysayers and I love this, you're doing something right!
... comment: on enforcement, as to why FTC hasn't taken action
... whatever the reason for that, that will become moot if you get wide adoption
... [berin recites the last element of FTC deception authority about harming users]
... as long as you have some group of users for which a deception is material, that is the hook
... How would you related your concept to Cass Sunstein's idea of smart disclosure?
... how do you see structured disclosure used for forms that allow for innovation in disclosures formats
... and what about choice by proxies for users?

Ashkan: p3p was designed as a slider for a browser...

Deirdre: and you could import preferences established by another org

Ashkan: you need incentives and enforcement.
... you need the entire ecosystem for it to function
... browsers may not be capturing user sentiment
... with an interoperable, standardized [thing] you could get this ecosystem to a point where notice is meaningful and widely adopted

Mark_Lizar: you can create much more rich notices... right now they are flat, non-interactive
... a lot of these things can evolve if the ecosystem existed

Deirdre_Mulligan: This is DNT and Behind
... I did the first FTC preso on p3p with TBL many years ago
... prescriptive rather tan descriptive vocab.
... it also was going to have an automated mech. for populating fields so that those respective privacy beliefs
... stripped out by other privacy advos
... workshop at AOL in 2002 with regulators, EU, inside/outside councils..
... went over all of this stuff... please go read those remarks
... when p3p has been trashed as a failure... p3p was one of the first metadata standards
... w3c should go look at p3p
... think about security breach notification laws
... no one wanted to do those things (encryption, notice on breach)
... w3c should seize the fact that it was way beyond it's time
... for those that think DNT is too binary... "Duh! no joke"
... go look at p3p, yo.

<aleecia_> Alex: "Come back to us, Deirdre"

Frank_Dawson: any idea of how many of these support layered notice?

<aleecia_> +1 to Alex!

Ashkan: definitely glossed over this

Joanne_Furtsch: comment and a response to Frank
... we've been actively working with layered notice on desktop and mobile
... we have examples of these on our website

David_Wainberg: there is tremendous pressure to be really comprehensive in their privacy disclosure
... it's extremely difficult to boil these down to short, concise statements
... that's what I've heard about p3p... can't fit it into these tokens

Deirdre: it's because they want to say, "Maybe"

<wseltzer> Deirdre++

David_Wainberg: there's not a lot of support documentation

[there's an O'Reilly book!]

scribe: people have struggled to do this

<npdoty> I believe the Privacy Choice project is attempting to tie the short notices back to the relevant text in the existing long form policy

scribe: to make something like this work, it's going to have to make sense to attys. working in companies.
... and the thing needs to be fashioned in a way that lawyers can feel comfortable that this won't [bite them in the ass]

Mark_Frigon: Want to talk about standardization around data analytics
... software deployment increasingly depends on analytics
... concerns that "people are tracking everything"
... a lot of that is true, some of that is sw deployment changes
... more parties providing direct sevices to your customers and require direct tracking
... each vendor is going to transcribe different data into different "domains" (data vocabs)
... not currently structured
... lots of tag-managment solutions
... do mapping of ontologies from customers vendors, etc.
... ESPN's home page alone has 35 different parties tracking
... WSJ says avg. website has 64 trackers
... many website operators don't even know all the tracking tech. that powers their stuff
... have to do audits with companies like Evidon

<npdoty> http://www.w3.org/Submission/2012/04/

Mark_Frigon: what IBM has drafted and submitted to w3c is a standard data model for customer experience
... think of this as a JSON or JS object

<npdoty> or rather, http://www.w3.org/Submission/2012/SUBM-cedda1-20120917/

Mark_Frigon: this can open up a new standard from which to manage and think about privacy
... now we have a client transcribing its' own data objects into the standard
... now it is a common object that can be read/write to
... some open questions:
... if you have PII in a "visitor" object.. where to store that?
... cookie, DOM, etc.
... how can this type of model work with existing technologies?
... if you have DNT, maybe a vendor can't pull from a DNT object

[didn't get that last bit right]

scribe: this will provide at least a framework that when you have a common data model, it can be pro-privacy
... [shows example objects]
... Customer Experience Digital Data Community Group
... four standards listed

[are these all part of the w3c submish?]

<npdoty> http://www.w3.org/community/custexpdata/

scribe: intended benefits
... simplifies site management
... simplify switching costs
... simplifies new deployments
... provides a foundation for better data governance
... community group is launched... 8 partners that have supported it
... dicussions with Google, hoping Adobe is on board
... please join the community group
... mark.frigon@us.ibm.com if you want to get in touch

<npdoty> pre-pre-kickoff meeting :)

scribe: call on Thu. pre-pre-pre-kickoff meeting

JanS: have you decided where to put the data?

Mark_Frigon: that is all open. working for a common data model. those questions need to be answered.

JanS: draft spec. addresses data model?

Mark_Frigon: yes.

Ashkan: observation: there are a couple companies that do tag management... an issue I've seen in the past
... the currency of this ecosystem is impressions and click data...
... also an industry that no one trusts anyone else... want to make sure that accounting matches
... to ask people to use a different vocabulary when a check is on the line will be tough.


Mark_Frigon: the analoy I would make is that if the browsers would support it... certain attributes in HTML5 aren't supported and so they just ignore it

[please correct me as you understand it]

scribe: that is the type of feedback that would be helpful for buy-in and progress

JanS: can we contextualize this with the session from this morning about browser-based defense?
... could this help there?

Mark_Frigon: I use that as a hypothetical or a potential implementation

npdoty: curious if this seems of interest to potential implementors
... some similarities to p3p data control
... could configure a browser to do this... is this of interest to implementors, advocates?

Deirdre: if one could imagine the GeoPriv and GeoLocation standard where rules are attached to data... it could be an extraordinary development.

Mark_Frigon: [didn't get this]
... a website that doesn't have a strict privacy policy can have things very exposed... one with a strict policy may want to use a vendor based test on vendor GUIDs
... we have a data model, nothing more specified

Rigo: do you integrate the privacy into your data model or external to the model
... we need ways of linking statements to objects... Rigo's paper suggests using the context as the link to the object
... solves problem of lawyers not wanting to make certain kinds of statements
... when you have a fixed context, the [something and something does something]

JanS: can include a policy element for data
... having the policy included from the beginning conceptually could solve a lot of problems
... in this case would pass it on as an object concealed in some other wrapper of policy

Mark_Frigon: ah, in how I was thinking, the website controls the data, whereas in your model it just gives it away with the criteria for policy/sharing

JanS: never give away the data without the policy that governs the data
... could be the browser doing the logic/evaluation of policy
... in some cases it may be traveling to a vendor depending on policy allowsing sharing with vendor

<npdoty> I believe we're now using "policy" in the sense of user-configured preferences, not "public policy"

Rigo: this is steering data flows with metadata

Shane_Wiley: structured data is always good...
... in some sense the variation in the market makes user objects look very different
... what are your thought on incentives for using structured data?
... what's the primarly motivator, and how would you deal with the multi-persona problem?

Mark_Frigon: the spec. today includes a lot of flexibility... you should be able to stuff a lot of things into that person object.
... as for incentives, if a company requires you to adhere to a standard, the market will support it

and we break until 3:30 PST sharp.

<wseltzer> [thanks JoeHallCDT!]

<wseltzer> JoeHallCDT++

Future Directions

Tara_Whalen and Christine_Runnegar on PING efforts

scribe: trying to jumpstart what web standards privacy work needs to be done
... will first focus on privacy review of proposed standards

Christine: two key work items

1) privacy considerations document

2) best practices for implementors and deployers

Frank_Dawson has volunteered for everything

This is a call to action to get people involved

PING wants to identify a privacy reviewer for standards early on

Christine: how can we best do that?
... have been doing ad-hoc reviews, when a WG notices it needs expertise
... recently at the TPAC we had an informal meeting with Dev API WG

<wseltzer> [PING: http://www.w3.org/Privacy/ ]

Christine: in our paper we've identified concrete action items
... also have a series of questions

Tara_Whalen: two of the items have been mentioned for areas of work
... if there are others, let us know
... fingerprinting is one...
... what is fingerprinting? challenges for mitigating fingerprinting.
... appropriate uses of fingerprinting
... some discussion of this at the TPAC


Tara_Whalen: 2nd, privacy indicators for privacy in browsers
... this is a good time to identify places for ongoing work
... set of questions:
... will skip interaction between policy and standards... did that yesterday!
... what are known privacy and risks of web standards? what should we do about them?
... what privacy design principles make sense for the web?
... how do we make sure privacy concerns are raised at an early stage?

<JoeHall> [how is it down with security? usability?]

Tara_Whalen: how should privacy reviews be conducted?
... who gets to contribute? how?
... trade-offs: privacy, usability, security, reliability.
... have a lot of work cut out for us
... these are big challenges...
... we encourage you to participate as much as possible
... we'd like to hear what we can do and what we can do for you

Christine: let's go back to the potential areas for work
... what were the concrete things that were suggested?
... on fingerprinting: perhaps PING could produce a document about fingerprinting, what are the challenges, how can we design in mitigations?
... also the suggestion for others to develop a standard anonymous fingerprint
... is there a way to develop a means to expose fingerprinting... make it easy to detect when a broswer is being fingerprinted
... To wrap up: privacy considerations document for web standards devs.
... bes pracs. for implmentors and devs
... privacy reviews for web standards
... suggestions for potential areas of new work.
... questions that Tara raised above
... Frank_Dawson may propose one approach one way to standardize privacy reviews

npdoty: questions for PING peeps?

Karen_Myers: I didn't see web performance WG.
... subject of fingerprinting came up at recent meeting... they can very precisely fingerprint

Christine: can you put us in touch with that WG?
... next call is 12/6 UTC 17
... would be great to have someone from that group speak.

Berin: FTC workshop on 12/6 on big platforms
... Q: where do you think w3c's competence lies?
... at the end of the day, because it's a public venue, there are some issues that will not be resolved constructively in a public forum.
... much progress can happen in private settings.
... my concern is that if you succeed too well, it may make it too difficult to make a center of gravity for the private conversations that need to happen.
... what we really need in the private space, is something like what we have for net neutrality, the BITAG
... create a forum for discourse that is private.

<wseltzer> public processes work for the Web because there is not a small set of private stakeholders

Christine: we might be focused on a different problem...
... it's not about publicness but lack of attention to privacy and lack of expertise
... we don't want to deflate energy from the WG work, but complement with a parallel process
... part of solving some of the problems is making sure the right people are doing the work and not wasting the time of people that are not interested, resourced, experienced
... want to fit the process to the problem

Rigo: Berin referred to a situation of arbitrage... where mediation between entrenched positions...
... we do that in private conversations, but then come back to the public place to show results...
... one does not exclude the other.

Frank_Dawson: Have been looking at PbDs unmeasurable 7 tennants...
... was also dragged in to being a privacy guy at Nokia via CTO's office
... have run impact assessments in various projects
... have actually closed down projects... very interesting stage, when you're already operational on a project
... want to make an abridged version of privacy impace assessments that can have a time of 2 weeks
... doubt we generate specs at w3c that fast
... but we should be able to fit the process to the group.
... will present how to mold process to group
... first piece is bringing civility to the group [?]
... first started to think about the word "trust"
... we probably have different "trust philosophies"
... citing David Hoffman at Intel
... Intel talks about the "triangle of trust"
... "Technology industry" competes with "consumer/advocacy" competes with "policy/regulatory"
... [something about a force field]

[not as good at transcribing stories, apparently!]


<npd> wrap-up thoughts unminuted, included summary from Thomas Roessler, Jan S. and Nick D. and final words around the room. Thanks all for coming!

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2013/03/04 06:48:17 $