W3C

- DRAFT -

Tracking Protection Working Group teleconference

05 Dec 2012

Agenda

See also: IRC log

Attendees

Present
dsinger, npdoty, dwainberg, Rigo, +1.917.934.aaaa, +1.202.331.aabb, Peter, moneill2, +1.415.520.aacc, +1.408.674.aadd
Regrets
Chair
schunter
Scribe
aleecia

Contents


<Walter> npdoty: is it correct that no agenda was sent on-list?

<npdoty> Walter, agenda was sent by Matthias: http://lists.w3.org/Archives/Public/public-tracking/2012Dec/0025.html

<Walter> npdoty: never mind, seem to have overlooked it

<Walter> thanks

<dsinger__> Dave got the early bus to be in time but has spent all that extra time and more in traffic jams :-(

<Joanne> Zakim. aacc is me

<susanisrael> 917.934.xxxx is susanisrael

<rigo> zakim aaaa is susanisrael

<dan_auerbach> 301 izakin, aahh is me

<dan_auerbach> whoops, thanks

<npdoty> schunter: welcome, everybody

<npdoty> ... sent around agenda: http://lists.w3.org/Archives/Public/public-tracking/2012Dec/0025.html

<Chris_IAB> Just joined via Skype

<npdoty> ... thx to dwainberg for input, other comments on the agenda?

selection of scribe

<npdoty> volunteers to scribe?

<aleecia_> Can scribe if needed

<aleecia_> scribenick: aleecia

overdue action items http://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

<hefferjr> zakim aapp is hefferjr

<aleecia_> no!

<aleecia_> heh :-)

<jchester2> It's about time Aleecia did some work!

<aleecia_> matthias: overdue action items, compliance postponed.

<aleecia_> thanks Jeff, my boss at Stanford thinks so too!

<npdoty> I would love if we could continue to make progress on those action items, though

<aleecia_> matthias: TPE-related overdue actions, 323

<aleecia_> action-323?

<trackbot> ACTION-323 -- Thomas Lowenthal to share results of what-the-response-is-for discussion -- due 2012-10-22 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/323

<dsinger__> Action-323?

<trackbot> ACTION-323 -- Thomas Lowenthal to share results of what-the-response-is-for discussion -- due 2012-10-22 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/323

<aleecia_> that's done or not

<aleecia_> just close it

<aleecia_> just close it

<aleecia_> it's notes from a meeting months ago

<aleecia_> and i've reminded him ample times

<aleecia_> time to go

<dsinger__> Yes I was

<npdoty> are there volunteers for 258 or 323?

<aleecia_> do either of you have notes?

<Walter> I can't even find in the e-mail archive what it is about

<rigo> issue-303?

<trackbot> ISSUE-303 does not exist

<dsinger__> Let nick and I talk and we can resolve

<rigo> action-303?

<trackbot> ACTION-303 -- Ian Fette to draft definition of "visit" -- due 2012-10-11 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/303

<dsinger__> Tell u next week

<dsinger__> Assign away

<aleecia_> nick: reassign 323 to one of us

<dsinger__> Ok

<aleecia_> matthias: reassigning to dsinger

<aleecia_> matthias: next action-258

<aleecia_> action-258?

<trackbot> ACTION-258 -- Thomas Lowenthal to propose 'should' for same-party and why -- due 2012-10-22 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/258

<Walter> dsinger__: I hope you'll get an appropriate bonus from Apple, given the number of actions you've taken upon yourself

<aleecia_> again, it's been long enough: just close it

<jmayer> having trouble getting into the call

<jmayer> unsure if others are too

<aleecia_> (unless someone else wants to take it...)

<Walter> jmayer: no problems here

<aleecia_> jmayer, try again, took me a few tries

<afowler> +1 aleecia to just drop it

<WileyS> Jonathan, I've tried 6 times now and getting an "unable to complete your call message"

<npdoty> jmayer, took me a couple tries, but I'm hearing about reports of Zakim issues, and our team is looking into it

<cOlsen> same here

<jmayer> redialed quite a few times, just rings then busy

<aleecia_> rigo: had to do with transition permissions, same party and first party defns

<tedleung> i also cannot dial into the call

<aleecia_> … if you believe you are a first party you must be in the party file, Tom wanted a should to rely on

<susanisrael> someone at w3c may be able to expand the bridge to accomodate more callers.

<aleecia_> Rigo perhaps would like this action item?

<npdoty> we're looking into the Zakim issue, it's not specific to our call.

<WileyS> "Your call can not be completed as dialed. Please check the number and dial again."

<aleecia_> rigo: will take the action item and work with Tom

<aleecia_> matthias: thanks, will reassign to rigo

<Walter> 276

<aleecia_> … next action is 317

<aleecia_> action-317?

<trackbot> ACTION-317 -- David Singer to draft non-normative examples on same-party (issue-164) -- due 2012-11-14 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/317

<aleecia_> matthias: david, progress?

<aleecia_> dsinger: need one more week

<aleecia_> mathias: ok

<aleecia_> nick: sent something to the list...

<aleecia_> dsinger: maybe I did!

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0334.html

<aleecia_> … yes, that should resolve the action item

<aleecia_> (oops, sorry about colons not commas there)

<aleecia_> tlr many are having trouble. can you help?

<tlr> kaleecia, nick is on it. And trouble noted.

<aleecia_> matthias: caller id

<aleecia_> rigo: mark 317 and 258 as related issues please?

<aleecia_> matthias: can make a comment

<aleecia_> nick: rigo, feel free to do so

<jmayer> missed the early issue discussion

<aleecia_> jmayer just did overdue action items

<jmayer> looked like there was a tl assignment i was willing to pick up

<Chris_IAB> 202 in Washington DC, correct?

<Brooks> 678 is Brooks

<jmayer> same-party, iirc

<Simon> I am area code 303

<aleecia_> ah, that's likely the one Rigo took rather than the one dsinger took

<laurengelman> i just joined the call

<cOlsen> i just got through 202 326

<Chris_IAB> I'm guessing one of the 202 numbers is Lou Mastria

<aleecia_> action-258

<schunter> fyi: Jonathan: Action 323 has been picked up by David Singer and Action 258 by Rigo

<aleecia_> just lost all sound but the call seems still up

<Chris_IAB> lmastria-DAA, are you dialed in from 202?

<Chris_IAB> 415 is San Francisco

<Chris_IAB> 937 is New York

<Yianni> Yianni is 937

<Chris_IAB> hwest, are you dialing in from 202?

<afowler> 415 is me

<tedleung> zakim aatt is tedleung

<BerinSzoka> great--20 minutes on phone clearance...

<BerinSzoka> there has to be a way to reduce time spent on this

<hwest> Chris_IAB, I think I'm IDed already

<BerinSzoka> maybe you could remind everyone what the procedure is in an email?

<aleecia_> matthias: Peter to give comments

<aleecia_> peterswire: wrapping up semester in Ohio. Will be in DC next week and week out, would love to meet with people

<Lmastria-DAA> got disconnected

<aleecia_> … read 15 comments by deadline today, more since

<aleecia_> … for week from today, will discuss those comments and walk around the virtual room to introduce people who haven't commented

<aleecia_> … some people are very active, others are not as vocal

<johnsimpson> zakim aauu is johnsimpson

<peter-4As> Also got disconnected. Trying again-

<aleecia_> … getting brief intros might be constructive

<Chris_IAB> Lmastria-DAA, W3C staff could not identify your phone (202 area code) so you were dropped-- dial back in and type in IRC when you do

<WileyS> Lou, what number were you calling in on? You could have been one of the numbers that was unassigned and therrefore dropped.

<aleecia_> … that's the call on the 12th

<johnsimpson> who is on call?

<aleecia_> … may not be a call on the 19th, but if we need to continue the call from the 12th we may

<aleecia_> … w3c staff & chairs are looking early / mid-feb for f2f

<aleecia_> … possibly east coast of US, but not settled yet

<Chris_IAB> can you please make that Florida? :)

<Lmastria-DAA> we are trying to dial in, but conf line is not picking up

<aleecia_> … two editors on compliance but began with four. if suggestions of names to add, people who can work in HTML, and can synthesize points coming in, open to considering

<WileyS> Chris, any IAB members in Florida willing to give us the space for 3 days? The Yahoo! office in Miami is tiny so I won't be able to contribute.

<Chris_IAB> Lmastria-DAA, keep trying

<aleecia_> … if any questions, please ask now

<Lmastria-DAA> Lou DAA and Mike IAB

<aleecia_> rigo: global considerations work on mailing list, also want f2f in Berlin or Brussels last week in Jan. task force, not official WG meeting, and anything the task force comes up with will go through WG review.

<Chris_IAB> Rigo, can't your face-to-face be combined with the larger group's f2f?

<peterswire> how do I ask to speak next?

<aleecia_> … week of 28 Jan, details TBD, Kimon is helping

<aleecia_> peterswire: will be in Brussels 23 Jan

<aleecia_> … will meet people while there

<hwest> peterswire, just type "q+" and it'll put you in line - if you have something immediately relevant, chair's discretion to just jump in once in a while!

<aleecia_> … if we meet in eastern US, comment that Florida would be nice, but need a host. any volunteers welcome

<Walter> Newfoundland is probably more productive though

<aleecia_> chris: rigo, trying to understand need for a f2f separate from another f2f shortly thereafter? travel budget, time, resources troubling.

<BerinSzoka> I assume Peter was simply saying he would be available to meet people in Europe in January when he's there anyway

<aleecia_> … consider putting both meetings together

<aleecia_> … don't think it's possible to do two trips in that time

<Brooks> +1

<Chapell> +1

<BerinSzoka> when is the global considerations meeting?

<peterswire> responding to Berin -- yes, I am glad to meet f2f when I happen to be in Europe in late January with those interested

<aleecia_> rigo: we discussed this on the other mailing list, will have dial in. Goal of the mtg is to get DPAs involved, and we don't get them if we hold it on the east coast

<BerinSzoka> will that meeting be timed to coincide with http://www.cpdpconferences.org/ 1/23-25?

<aleecia_> matthias: for this set of meetings, may make sense to x-post to main mailing list

<BerinSzoka> (in Brussels)

exceptions revision http://lists.w3.org/Archives/Public/public-tracking/2012Dec/0005.html

<aleecia_> matthias: next agenda item. dsinger's proposal

<aleecia_> … should we put this into the spec as an option, and should we remove the other option?

<aleecia_> dsinger: Adrian proposed and Ian refined. Prior: sites must determine user is informed, and UA must confirm with the user that they intend to grant the exception. Asynch and awkward. Site no longer in control of messaging.

<aleecia_> … Why not drop UA requirement, and make it clear sites need to get informed consent

<aleecia_> … call is to *record* that

<aleecia_> … no direct discussion on this question since posting text to mailing list

<aleecia_> matthias: important point [dropped out]

<npdoty> schunter: still possible to check with the user ...

<schunter> and modify

<aleecia_> dsinger: UA can expose requests and what's recorded at any time

<aleecia_> … still the API calls to provide info, and take user back to site if needed to understand what happened

<aleecia_> … still possible. Just not *required*

<aleecia_> adrian: reviewed changes

<aleecia_> … this moves in the right direction

<aleecia_> … especially based on feedback in AMS

<aleecia_> (I'm having trouble hearing, perhaps someone else should scribe?)

<aleecia_> dwainberg: jumping in to silence

<npdoty> adrianba: have minor issues, which we can talk about later

<aleecia_> … want to make sure understand this, are we adding this draft in place of what's there, but still can discuss?

<aleecia_> matthias: yes

<aleecia_> dwainberg: ok

<aleecia_> dsinger: is this an improvement? not is this final / perfect.

<aleecia_> matthias: if general idea is worse than the old one, speak up

<aleecia_> … if you still have things to modify, that's ok, but if you liked the required user interface then speak up

<aleecia_> … we can continue to work on the new approach if there's support

<WileyS> +1 to Nick

<aleecia_> nick: confusion on user interface, neither has a requirement.

<aleecia_> … major change, making it synchronous rather than asynch

<Walter> I like the paradigm of this as a accountability approach, recording a transaction

<aleecia_> … moving expectation that the browser has confirmed / is responsible for (consent)

<dan_auerbach> i agree with nick

<aleecia_> … putting it all on the sites means 3rd party trackers need to second guess and hope 1st parties did good enough job

<dsinger> This is the problematic required UI in the old draft: "The calls cause the following steps to occur:

<dsinger> First, the UA somehow confirms with the user that they agree to the grant of exception, if not already granted;

<dsinger> If they agree, then the UA adds to its local database one or more site-pair duplets [document-origin, target]; one or other of these may be a wild-card ("*");"

<aleecia_> … small changes, which is great, but think this is going to be worse

<aleecia_> (again, having trouble hearing)

<aleecia_> (please fill in if anything is missing)

<aleecia_> matthias: before, UA needed to make sure signal was in line with user preferences. new, parties need to make sure, and we do not specify how

<aleecia_> adrian: does require UA to do some confirmation, and that's the key bit.

<eberkower> aayy is eberkower

<aleecia_> … if we trust the site to honor DNT:1, we trust the site to do the appropriate thing for an exception

<aleecia_> matthias: ok. and on synch API?

<aleecia_> adrian: considerably easier than an asynchronous API all around

<aleecia_> … common case, UI from browser confirming user granted exception, then asynch is the right design.

<aleecia_> … here the user can confirm or remove, but the common case is not to wait for confirmation through UA, so design with asynch

<npdoty> if a UA does want to confirm with the user, do they just keep the thread waiting?

<aleecia_> dsinger: UA can prompt to be sure, and configure UA to always say no without asking. but the small amount of time the exception is in the db is not worth making it asynch

<aleecia_> … the question is if UAs are required to check with the user

<aleecia_> Rigo: David, I'm with you.

<aleecia_> … responsibility for notification and how stuff looks is with the site, everyone was happy.

<npdoty> not everybody was happy about that :)

<aleecia_> … browser still has a function. user must be able to revoke.

<WileyS> David, why not go async and allow UAs to force order in a UI interface on their own if they like? The call is async but future DNT:0 header placements are still controlled by the UA.

<aleecia_> … how does a site who thinks they have an exception find out if they still have it?

<aleecia_> dsinger: API to answer that question. Call at any time to find out

<aleecia_> matthias: site gets exception. user changes his mind or deletes it, UA will send DNT:1 again

<aleecia_> … if site is very interested that nothing changed, can always call

<aleecia_> … yes?

<aleecia_> adrian: on waiting for exceptions that Rigo raised, feedback that draft with David is not sufficient for a site to (unclear)

<aleecia_> … reason they might get DNT:0 is site-wide or web-wide exception, think that's necessary

<aleecia_> … still work to do on query part

<npdoty> why does the party need to know if they got a site-wide or a web-wide exception?

<aleecia_> to know what their 3rd parties are likely to get

<Zakim> dsinger, you wanted to point out text on requiring at-the-time consent

<aleecia_> dsinger: did insert text - don't want sites determine today, agree to exception, and then have it cached

<aleecia_> … needs to be consent at the time of the call, not remembered from some time ago

<npdoty> will take some additional comments offline

<aleecia_> Shane: agree mostly with David. out of band consent would be something to consider

<aleecia_> … also registered as an exception, then user removes exception, do they also remove out-of-bound-consent?

<rvaneijk1> Shane, that is the whole idea of a consent mechanism...

<aleecia_> … becomes confusing to manage state in multiple locations

<rigo> WileyS: I think this is rather a factual question and a state control thing

<npdoty> alternately, it's quite confusing for users if they have to clear an exception twice, once in their browser and once on the site

<aleecia_> … agree on timing. Should be asynch. UAs can force ordering of UI confirmation. What rules the day is timing for header

<npdoty> +1, what rules in the end of the day is the header

<aleecia_> … whatever comes back as DNT:1 or :0 is the order the server should follow

<schunter> The headers are law :-)

<aleecia_> … think we agree on that. Action based on that.

<aleecia_> dsinger: offline discussion, will talk more

<aleecia_> schunter: propose adding text as unsettled option

<JC> If the header comes from a network device it may conflict with the user's preference from the UA

<npdoty> WileyS and dsinger to continue conversation online (I'm interested too!)

<aleecia_> … objections?

<dsinger> notes we need a discussion of out-of-band consent; the current document defines OOB consent as consent not signalled inline with a DNT header

<aleecia_> … mark new text as work in progress, old text as stable, both as options

<aleecia_> adrian: question to David, how feasible to include both options in document, does that require duplication

<aleecia_> dsinger: lots of little changes would happen if we adopt. would rather do it and move on, can revert to prior text if needed

<aleecia_> thank you nick

<WileyS> Agreed - please move to the new text now.

<aleecia_> matthias: would like to replace with new text now

<Zakim> npdoty, you wanted to ask if the changes are small enough we can just mark options inline

<aleecia_> nick: agree there's duplication to have both options in the document. fine with updating with new text and adding notes around this.

<aleecia_> … don't think we're making this decision now. if we are, would object.

<dsinger> I can certainly add notes, noting the old approach, and points where refinement may still be needed

<aleecia_> matthias: ok to update but notes with contrast to old approach and pointer.

<aleecia_> … good piece of advice, is that correct understanding to point to old version with changes highlighted?

<jmayer> I object to replacing the text right now.

<aleecia_> nick: list of changes and that those are open questions.

<aleecia_> jmayer: good discussion on how new approach would work. better idea now.

<aleecia_> … high-level discussion of whether the old approach was preferable.

<aleecia_> … was missing.

<aleecia_> … need more discussion

<WileyS> Can we take a straw vote / humm? I believe most in the WG would like to move to the new text.

<aleecia_> matthias: in general, new approach if we can iron out the details

<dsinger> I disagree; there was clear geberal consensus to move in this direction, and no objection. people can still reflect and realize problems, of course

<aleecia_> … if there are many people with strong objections on the new approach, would like to hear them

<npdoty> I think I've stated my objections a few times

<npdoty> ... but I'm happy to repeat them :)

<aleecia_> … Nick prefers old approach, anyone else?

<WileyS> Nick and Jonathan - anyone else?

<aleecia_> possibly -- need to see the details first :-)

<dan_auerbach> yes I am inclined to agree with Nick

<dan_auerbach> sorry call quality is bad

<aleecia_> happy to let that work go forward, but not yet 100% sold

<WileyS> UAs can still optionally do that

<aleecia_> jmayer: there were others concerned as well

<aleecia_> … there were objections in the past

<dan_auerbach> but I would need to be convinced further before taking the new approach over the old

<npdoty> aleecia_, are there details you're still missing, beyond David's written up text?

<Walter> I think jmayer is right, as it is now it is hard to grasp the extent of this proposal

<aleecia_> matthias: respond to David's email on the list, repeating: replace text and work on new text to try to improve it. then we see what objections and what arguments.

<npdoty> Walter, are there details you're still missing, beyond David's written up text?

<aleecia_> … Nick still has objections, but Jonathan didn't view as objecting but rather nothing objections exist

<rigo> dan, the DPAs mainly say, it is the site's responsibility (they are the controller) and sites are object of enforcement. Browsers aren't. This is how this approach came about

<WileyS> If some advocates are okay with moving forward, all UAs, and all industry all want to go in the same direction, why are we still discussing this?

<aleecia_> jmayer: concerned that if you don't agree you have to say so every single time it comes up, this is not a good mode of operation and very inefficient

<aleecia_> +1 to concerns on how sustained objections work in practice

<aleecia_> dsinger: do you object to the synch/asynch, or the moving responsibility?

<BerinSzoka> for those policy people who are a bit lost, is there a short, accessible summary of this we can read?

<aleecia_> nick: not sure there was such a requirement

<Walter> npdoty: I have to see the text first, haven't found it yet

<aleecia_> … my objections were to not being the browsers' responsibility as well as asynch

<jmayer> If I understand correctly, Nick is objecting on both issues.

<jmayer> I certainly object on both issues.

<aleecia_> … sending DNT:0 is user, with browser's confirmation, is sending the signal

<aleecia_> dsinger: substantial objection to new plan. thank you

<jmayer> And with that, back to the grind. Later all.

<Walter> I have objected to using javascript, but am not sure whether it bears relevance to this suggestion

<npdoty> ACTION: schunter to ask for any objections to the new exceptions model [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action01]

<trackbot> Created ACTION-342 - Ask for any objections to the new exceptions model [on Matthias Schunter - due 2012-12-12].

<aleecia_> matthias: would like email to the dlist in the next week and see what arguments there are.

<WileyS> Berin, there is some disagreement on whether a UA MUST confirm exception requests or if they MAY confirm exception requests.

<aleecia_> … next agenda item

<rigo> Walter, this is a rather fundamental opposition to HTML5 :)

ISSUES marked PENDING REVIEW

<Walter> rigo: for the purpose of DNT, that is

<npdoty> issue-112?

<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112

<aleecia_> … issue-112, next up

<dwainberg> and others

<dwainberg> (have made the same point)

<aleecia_> … point dwainberg made on mailing list is that agreement on a wildcard but not which ones

<aleecia_> … do we have agreement, we should put into text

<dsinger> alas, I do not think we have worked out the public suffix issues

<aleecia_> … site-wide exceptions do not need wildcards.

<rigo> dsinger, the DE outreach measurement goes as a subdomain, but is effectively a third party

<aleecia_> … if explicit lists, enumerate all of them, or pattern matching, or other wild cards in this list?

<WileyS> We appear to be okay with sub-domains for the most part. Less agreement on the use of wildcard on suffixes.

<npdoty> my summary of the issue was here: http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0327.html

<aleecia_> adrian: disagree that this is not an issue for site wide exceptions

<WileyS> Yes - we would need wildcards on site-wide and web-wide.

<aleecia_> … requires site-wide API is explicit about subdomains

<aleecia_> … if asking site-wide for www.example.com is mail.example.com a subdomain?

<aleecia_> … need notion to know if that's true

<aleecia_> … second, while have argued for explicit about domains rather than programatic way of saying a wildcard for subdomains, based on feedback accept this is desirable.

<aleecia_> … in original proposal said at least use same rules for cookies to reuse code for UAs

<schunter> Adrian now seconds the proposal to use cookie-like wildcards/rules.

<Zakim> npdoty, you wanted to disagree that this is specific to explicit lists

<aleecia_> Nick: easy to get confused on which section were are talking about

<aleecia_> … for explicit list option, question is subdomains or wildcards

<aleecia_> … should we expand the (first?) party when asking: you visited www.example.com should that apply to mail.example.com or example.de

<aleecia_> … are you asking for example.com or a.example.com, b.example.com

<BerinSzoka> thanks, Nick

<aleecia_> … those are separate questions and in neither case do you need -

<aleecia_> … does it apply to the exception-specific list.

<aleecia_> … haven't heard that request for the backend

<aleecia_> … would rather avoid using (?) which is confusing for (?) and instead use (?)

<aleecia_> … expanding first party case, or expanding third party exception

<aleecia_> … good to add additional parameter, use case there

<aleecia_> -- nick I missed much of that, sorry, really hard time hearing words clearly

<rigo> http://www.w3.org/TR/P3P11/#oho

<aleecia_> rigo: problem is not new

<npdoty> would rather avoid using the cookie matching rules, which we've long had problems with, and instead use document origins, which I thought we had agreement on previously

<aleecia_> … URL pasted is from Matthias on domain relationships

<aleecia_> … if we take cookie-based or origin-based, always have scenarios where notion of Service Provider

<aleecia_> … have to extend the scope either way

<tlr> +1 to nick

<npdoty> and I think there are ways that browsers/sites can already optionally handle the expansion to other domains in the same party, via the same-party parameter

<aleecia_> … need a way to express that

<aleecia_> … can use wildcard, or use same host, but we need something

<schunter> same-party

<Zakim> dsinger, you wanted to point out that the question arises for both the top-level origin, and the targets, and matthias asked about the latter and adrian is talking about the former

<aleecia_> dsinger: like Nick, want to make sure we don't confuse two things

<npdoty> and I think this isn't directly applicable to the site-specific explicit lists, but instead to the expansion of the first party or the expansion of the third party

<aleecia_> … origin for making the call, primitive prior to the call, that's tricky

<aleecia_> … or wildcarding for explicit parameters is pretty harmless

<WileyS> *.com should not be allowed

<npdoty> agree with dsinger that it's harmless, though I'm also not sure it's a commonly requested feature

<aleecia_> … broaden it to entire web, fine, could have made it * completely

<WileyS> Root domain should always be required

<aleecia_> … can already do that

<aleecia_> … on the first parameter more tricky. if you want mail.example.com, need specific text proposal. want to avoid cookie matching rules

<rigo> things work like ivwbox.journal.de and this is a separate company, so just * doesn't work

<aleecia_> … looking for specific text

<npdoty> WileyS, you're suggesting that we should use the public suffix and matching rules? and for the expansion of first party or for the domains in the explicit list of third parties?

<aleecia_> matthias: proposed updates to the text, volunteers soon

<aleecia_> adrian: [unclear]

<aleecia_> … was talking about both

<johnsimpson> trouble hearing adrian

<aleecia_> … domain call is coming from, and also domain in array of site list

<npdoty> adrianba: talking about both things, the domain where the call is coming from and the domain in the array of sites list

<adrianba> http://pages.adrianba.net/tpe/exception-proposal.htm

<npdoty> ... separately don't think the array of sites is valuable for the API, a separate discussion

<dsinger> anyone who wants to freak, have a look at the length of the current public suffix list at <http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1>

<aleecia_> … proposal in original text that talks about how cookie matching works here

<WileyS> Rigo, agreed those companies shouldn't use wildcards if they have that type of structures where the sub-domain is used to denote different entities. But let's not remove it for those where it makes sense and does simplify the recording of exceptions.

<rigo> exactly

<aleecia_> … use case, system that allows me to create ad choices page with multiple exceptions given

<aleecia_> want that in a single call

<aleecia_> … dynamic within a particular domain

<npdoty> I believe we've agreed that this can be done, via iframes in the adchoices-style page

<npdoty> we asked and answered that question in Amsterdam

<rigo> WileyS, but in this case, I think "same-host" is where you want to go

<WileyS> But how do I record "*.flickr.com" in that case?

<WileyS> Rigo, but how do I record "*.flickr.com" in that case?

<npdoty> aleecia_: one of the reasons we hadn't just followed what browsers are doing now, is that we might have analytics.example.com

<npdoty> ... if I thought I was giving an exception to one party and actually gave it to multiple parties (if we think the analytics company might be a third-party to the interaction)

<WileyS> Aleecia, Servers should not use wildcards in cases where the sub-domain represents different non-affiliated companies.

<aleecia_> walter: clarification question, for my understanding what does this add on top of the same sites mechanism?

<aleecia_> Shane so how would that work?

<rigo> WileyS: just in same-party

<aleecia_> nick: same party is what we're calling that field?

<aleecia_> … [unclear]

<aleecia_> … browser could optionally expand

<aleecia_> … in js parameter [unclear]

<dwainberg> (I couldn't understand what Nick just said)

<aleecia_> can someone else hear?

<dsinger> …is deeply unhappy about the API being asked to fetch-back from the site something else; if the UA needs it, it should be a parameter

<aleecia_> and if so, scribe?

<rigo> nick, your voip is bad

<aleecia_> nick: the suggestion I made is same parties could be used for this purpose

<aleecia_> … will send in IRC due to poor audio

<aleecia_> matthias: what do we do with this issue?

<npdoty> I think the browser could use `same-party` to expand the first party for this purpose

<dsinger> suggest we ask for specific proposed text changes

<aleecia_> … what updates to current text, leave as is, postpone or close?

<dsinger> a) for * in the parameter and (b) for related sites to the calling party

<aleecia_> … call for text proposals and if no one updates, we close the issue

<aleecia_> … vote through inactivity approach :-)

<npdoty> ... and the difference would be that the first party is asking through a specific javascript call

<WileyS> Aleecia, you would simply state this rule in the TPE. Is that what you mean by "how does that work"?

<aleecia_> nick: in my email did try. can flesh them out if that's helpful

<npdoty> I proposed changes here: http://lists.w3.org/Archives/Public/public-tracking/2012Nov/0327.html

<aleecia_> … can take an action

<npdoty> but can flesh them out into full text diff if that would be helpful

<dsinger> that would be great; "change this XX in section YY to ZZ"

<WileyS> Aleecia - remember, these exceptions are recorded so you have all the evidence in the world to dig into and bring back to the appropriate regulator (or press in a "name and shame" campaign) to enforce proper usage

<aleecia_> matthias: right way forward is current spec, your text, any other changes?

<dwainberg> I will propose text as well

<npdoty> ACTION: doty to update issue-112 proposal with specific changes to the draft [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action02]

<trackbot> Created ACTION-343 - Update issue-112 proposal with specific changes to the draft [on Nick Doty - due 2012-12-12].

<aleecia_> Shane I'm on with policy rather than tech as you suggest, so long as it's very clear. we might want * minus specific subdomains...

<aleecia_> matthias: if no input we discuss Nick's.

<npdoty> ACTION: wainberg to propose changes for issue-112 [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action03]

<trackbot> Created ACTION-344 - Propose changes for issue-112 [on David Wainberg - due 2012-12-12].

<aleecia_> … otherwise we discuss multiple alternatives. Nick to take action to translate email into well-defined changes to the text. dwainberg too.

<aleecia_> … closes issue-112 discussion

<rigo> nick, I updated tracker

<aleecia_> matthias: issue-138 next

<rigo> now related to issue 112

<npdoty> this was my non-normative text: http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0628.html

issue-138

<aleecia_> … Nick proposed non-normative text

<BerinSzoka> Nick we can hear you fine

<johnsimpson> apologies, have to drop off call

<rigo> nick, now very audible

<aleecia_> nick: doesn't change requirements, just explains a party [mumble] user granted exception

<aleecia_> matthias: any objection to adding non-normative text to spec?

<npdoty> s/[mumble]/that doesn't have interactive javascript, like just drops a pixel/

<aleecia_> dwainberg: asked on mailing list, confused why we need this.

<aleecia_> … concerned about adding text

<aleecia_> … could be more confusing

<aleecia_> … object to putting text in spec

<aleecia_> matthias: came to be because what if only tracking [mumble]

<aleecia_> … text to explain if only have a tracking pixel

<aleecia_> … documentation for those who don't have javascript

<npdoty> originally from alex at nielsen, about trackers that don't have javascript, just drop a tracking pixel

<aleecia_> dwainberg:

<aleecia_> … found it confusing

<aleecia_> … question on mailing list never answered

<aleecia_> nick: intended to be explanatory. heard from Neilsen that they wanted examples

<aleecia_> … worked with (Lee?) on this

<aleecia_> … if you have more questions, happy to answer them or explain more

<npdoty> s/Lee?/Lou/

<aleecia_> … can move examples to separate document if needed

<aleecia_> that makes more sense :-)

<Walter> sound seems to be off

<aleecia_> dwaingberg: can do that offline, question on last bullet point in particular

<aleecia_> matthias: do it now

<aleecia_> dwainberg: text confusing about what a 3rd party might do but seems alluding to UA implementations

<aleecia_> … now understand better the user case

<aleecia_> nick: all parts of the spec depend on UA implementation

<aleecia_> … help me understand your question more?

<rvaneijk1> Action-139 is more a topic that may be addressed in global considerations IMHO, not in the spec.

<aleecia_> dwainberg: sounds like suggesting implementation for UAs to grant or block exceptions on other factors outside the specification

<aleecia_> nick: absolutely

<aleecia_> dwainberg: would remove that and stick to first two examples

<aleecia_> nick: doesn't think it's possible?

<aleecia_> dwainberg: doesn't belong as an example

<aleecia_> nick: other thoughts?

<aleecia_> matthias: we should use easy examples everyone can agree on without objections against

<aleecia_> disagree -- the easy things don't illustrate nearly so well as the edge cases!

<aleecia_> matthias: non-normative any way

<aleecia_> … preferì edge-cases that people in the group are comfortable with

<aleecia_> dsinger: would like text shorter and crisper

<Walter> +1

<rvaneijk1> +! david

<aleecia_> … answer is "you must explain to user and get consent" for tracking pixel.

<Walter> +alot, actually

<aleecia_> … starting in the wrong place

<aleecia_> … get exception when user brings a frame or page from your site, and here are examples on how that might occur

<aleecia_> david taking an action? :-)

<aleecia_> rigo: charm of DNT, no cookie banners like in UK

<WileyS> David - a pop-up would qualify as well, correct? A web beacon could cause that to occur (although the publisher may be very upset with that outcome) :-)

<npdoty> hearing from dsinger that the initial paragraph, which is intended to make that point, should do so more forcefully that tracking pixels can't directly get a Javascript-mediated exception

<aleecia_> … this removes some of the benefits we would generate

<aleecia_> … in US define DNT:1, in EU define DNT:0

<aleecia_> … if you call for exception, has at least the meaning of DNT:0

<dsinger> any document that gets sourced from your domain, that has an attached script, qualifies. frame, pop-up, window, sure...

<aleecia_> … even a one pixel image, if browser provides interface could get an exception

<npdoty> WileyS, beacons that can pop up additional windows presumably are running JavaScript

<aleecia_> matthias: substantial support for tracking pixel lang into spec?

<aleecia_> +1 support

<hefferjr> +1

<laurengelman> +1 support

<npdoty> +1, I think it can be useful to implementers to explain

<WileyS> Nick, correct

<aleecia_> matthias: would like David to do a short version to discuss next time

<dsinger> ok

<aleecia_> :-)

<aleecia_> sorry, david

<aleecia_> today you play Ian :-)

<aleecia_> matthias: also put into the spec?

<aleecia_> david: will work with Nick and do that

<aleecia_> matthias: then mark as pending review

<aleecia_> … if objections, can work through those on next call

<aleecia_> … ok?

<aleecia_> +1

<rigo> +1

<npdoty> ACTION: singer to condense non-norm examples on non-JS third parties and integrate into spec [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action04]

<trackbot> Created ACTION-345 - Condense non-norm examples on non-JS third parties and integrate into spec [on David Singer - due 2012-12-12].

<aleecia_> (assume marking as option)

<aleecia_> (or otherwise marking as not settled)

<rigo> what issue is this related to?

<WileyS> Any expectations on timing for the next face-to-face to fit with the 8-week notice rule?

<aleecia_> matthias: issue-153 takes more than 3 minutes

<aleecia_> … meet next week, compliance discussion with Peter chairing

<rigo> Action-345 is attached to which issue?

<WileyS> I know we're saying east coast in late Jan / early Feb but that would mean we're close to closing on a location this week.

<aleecia_> … are there prefs on meeting on dec 19?

<schunter> Meeting on December 19th?

<WileyS> -1 on 19th

<BerinSzoka> +1

<rigo> +1

<tedleung> -1

<hefferjr> -1

<rvaneijk1> +1

<adrianba> +1

<dsinger> +1

<dwainberg> -1

<Chapell> -1 on 19th

<npdoty> I may be on a flight on Dec 19th, but could try to call from the airport

<Joanne> +1

<aleecia_> 0

<peter-4As> -1

<moneill2> +1

<efelten> +1

<JC> +1

<hwest> -1

<laurengelman> +1

<peterswire> There is a mix. I suggest we see on the 12th if there are carryover for the 19th

<eberkower> +1

<BerinSzoka> the sooner we nail down the F2F date in February, the better

<jchester2> +1

<WileyS> late Jan is still preferrable for some of us if possible to establish ASAP

<aleecia_> Peter: for 19th, no major decisions, but availability is ok. will meet if we have specific things from the call on the 12th.

<aleecia_> matthias & Peter: keep date for call on 19th, we may cancel it

<dsinger> action-319?

<trackbot> ACTION-319 -- Nick Doty to draft non-normative text on how to accomplish non-JS third parties that want to request for exceptions (with lou) -- due 2012-10-12 -- PENDINGREVIEW

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/319

<aleecia_> rigo: which issue is David's action item tied to?

<aleecia_> nick: will handle it

<dsinger> issue-138?

<trackbot> ISSUE-138 -- Web-Wide Exception Well Known URI -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/138

<npdoty> +1

<aleecia_> matthias: issue-138

<aleecia_> (might note actions are linked, too)

<aleecia_> matthias: thanks, adjourned

<Lmastria-DAA> thanks

<aleecia_> an apple a dsinger keeps the doctor away?

<aleecia_> ah, fun

<aleecia_> care to mention which person for the minutes?

<aleecia_> seeing as we're doing the no unidentified callers policy

<laurengelman> i am here

<laurengelman> bye

Summary of Action Items

[NEW] ACTION: doty to update issue-112 proposal with specific changes to the draft [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action02]
[NEW] ACTION: schunter to ask for any objections to the new exceptions model [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action01]
[NEW] ACTION: singer to condense non-norm examples on non-JS third parties and integrate into spec [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action04]
[NEW] ACTION: wainberg to propose changes for issue-112 [recorded in http://www.w3.org/2012/12/05-dnt-minutes.html#action03]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2012/12/05 18:35:17 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/[mumble]/duplication/
FAILED: s/[mumble]/that doesn't have interactive javascript, like just drops a pixel/
FAILED: s/Lee?/Lou/
Found ScribeNick: aleecia
WARNING: No scribe lines found matching ScribeNick pattern: <aleecia> ...
Inferring Scribes: aleecia

WARNING: 0 scribe lines found (out of 1016 total lines.)
Are you sure you specified a correct ScribeNick?


WARNING: Replacing list of attendees.
Old list: dsinger npdoty dwainberg Rigo +1.917.934.aaaa +1.202.331.aabb Peter moneill2 +1.415.520.aacc +1.408.674.aadd +1.781.482.aaee jchester2 samsilberman aleecia Joanne +1.202.296.aaff susanisrael Walter David_McMillan Keith_ANA +1.917.934.aagg [FTC] schunter vinay +1.301.351.aahh +31.65.141.aaii rvaneijk1 adrianba +1.703.265.aajj dan_auerbach +1.646.666.aakk BrendanIAB? +1.678.580.aall +1.303.661.aamm +1.937.215.aann +1.415.309.aaoo Chris_IAB? Bryan_Sullivan +1.813.366.aapp [Microsoft] hefferjr hwest +1.202.344.aaqq +1.408.349.aarr WileyS chapell Jonathan_Mayer +1.408.349.aass jeffwilson Brooks Simon laurengelman? cOlsen Kulick Yianni +1.206.664.aatt afowler tedleung +1.310.392.aauu [Apple] johnsimpson +1.202.331.aavv +1.202.344.aaww Mike_IAB peter-4As? +1.609.310.aaxx Chris_Pedigo +1.646.654.aayy eberkower
New list: dsinger npdoty dwainberg Rigo +1.917.934.aaaa +1.202.331.aabb Peter moneill2 +1.415.520.aacc +1.408.674.aadd

Default Present: dsinger, npdoty, dwainberg, Rigo, +1.917.934.aaaa, +1.202.331.aabb, Peter, moneill2, +1.415.520.aacc, +1.408.674.aadd
Present: dsinger npdoty dwainberg Rigo +1.917.934.aaaa +1.202.331.aabb Peter moneill2 +1.415.520.aacc +1.408.674.aadd
Agenda: http://lists.w3.org/Archives/Public/public-tracking/2012Dec/0025.html
Got date from IRC log name: 05 Dec 2012
Guessing minutes URL: http://www.w3.org/2012/12/05-dnt-minutes.html
People with action items: doty schunter singer wainberg

[End of scribe.perl diagnostic output]