Tracking Protection Working Group teleconference -- 06 Feb 2013

<eberkower> Zakim 646 654 is eberkower

<aleecia> ...?

<aleecia> :-( I'll be doing the transit run soon too (why I type more than talk now) but I'm sorry to hear your voice is gone, David

<peterswire> nick: i'm 404.385.3279

<Walter> Somebody appears to be on a train?

<peterswire> volunteer to scribe?

<Yianni> scribe: yianni

<npdoty> scribenick: Yianni

Peter: George Ivie on the phone
... Peter is contacting by email

<johnsimpson> yes

Peter: preview for Boston face to face
... there are URLs and slides sent around for second portion of today's call
... some of that exceeded the size limits
... Nick put into IRC, put in the URLs for second half of today

<npdoty> slides for homomorphic: http://www.w3.org/2011/tracking-protection/homomorphic.dnt.pdf

<justin_> http://www.w3.org/2011/tracking-protection/homomorphic.dnt.pdf

Peter: In terms of Boston, send some URLS for things are useful

<npdoty> measuring ad effectiveness, from FPF: http://www.w3.org/2011/tracking-protection/measuring.fpf.docx

Peter: for agenda will add more: Monday uses, Tuesday de-identification
... Editors, Yianni, W3C staff followed his advice to get to normative language
... focus is on bare bones, what is actually called for in the spec
... what are remaining issues to get to last call

<bryan> where is barebones spec?

Peter: please review other language to figure out how to assign action items
... list of 48 people of knowledge of coming
... contact Nick if you are not on the list
... if you have topics to raise, the chair will consider

<justin_> The stripped down compliance spec (Bare Bones) is here: http://www.w3.org/2011/tracking-protection/drafts/CambridgeBareBones.html

Peter: if you have language for barebones, get that to Heather and Justin

<Marc_> ((202) 835-9810 - Marc

<bryan> thx

Peter: question or comments on Boston?

Aleecia: make sure that others are aware that a blizzard is supposed to hit on Friday night and Saturday
... she is now cancelling trip
... cannot afford to get stuck in Chicago and Boston

<justin_> Boston is good at dealing with snow. Hopefully everything will be close to normal by Sunday.

Peter: will circulate weather to the list
... Is George Ivie on the phone

Media Ratings Council

<susanisrael> my understanding of weather prediction in ne was less clearcut as of this morning. There will be some kind of bad weather in ne but they weren't sure how bad it would be.

Peter: we are now going to hear from George

George: wanted to explain the role and process of Media Ratings Council
... prepared a brief slide deck to guide through discussion
... background of organization

<aleecia> Susan that's what's frustrating - this could all be fine. But if I'm going to get hotel & airfare back, I need to act today on the best info I have. Grrrr.

George: intersection of MRC and privacy

<hwest> susanisrael, what I'm hearing is that the most reliable model says that it'll be very bad in Boston, but other models are not in agreement - I imagine it'll be a game time decision for a lot of us

<aleecia> was planning to fly out on saturday

<bryan> which deck are we looking at?

George: help illustrate better the kinds of this they do to fulfill there function
... going into slides

<aleecia> http://www.w3.org/2011/tracking-protection/homomorphic.dnt.pdf

<peterswire> Media Rating Council, George Ivie, on list today

George: slide 3, histry of MRC

<peterswire> the homomorphic URL is scheduled for about 12:45

<npdoty> direct link to George's slides: http://lists.w3.org/Archives/Public/public-tracking/2013Feb/att-0012/MRC_Background_--_W3C_and_DNT_1_.pdf

<susanisrael> hwest, you're probably better informed re boston. I was listening to ny area radio this morning. Weather will be friday night into saturday. I'm planning to take the train.

George: people claimed to manipulate audience resource and got congress' attention

<BerinSzoka> that was me just joining

George: looked into how media was measured in United States
... help set advertising rates in program, big input on how content flows to the public
... nexus because broadcast media was licensed for public, wanted fairness in ratings
... hearings lasted 6 years, and government concluded that there should be regulation on how media is measured
... make sure how content flows is based on real measurements
... government recommended system of self regulation
... dealt with broadcast radio
... now media because scope has grown
... administrate a voluntary process for measurement to get accredited
... organization must agree to five sub bullets on page 3
... Pay MRC for cost of audits, conducted by independent CPA form, MRC does not make money on audit
... process is confidential, audit does not go to the public
... work with members to ensure quality measurement
... public only sees seal of approval
... Slide 4, mission statement
... unaltered since 1960s

<Chris_IAB> Chris Mejia of IAB just joined via blocked number

<aleecia> negative indicators -> useless. but the audit financial structure is cool

George: Bottom of slide is the seal that organization can use when they meet the standard
... Slide 5, list of member organizations
... 145 members of MRC (as big as they have ever been)

<Chris_IAB> sorry for joining late - where is deck?

George: they represent all facets of media business that rely of quality of media measurement

<peterswire> MRC deck circulated in mailing list today from swire

<justin_> http://lists.w3.org/Archives/Public/public-tracking/2013Feb/att-0012/MRC_Background_--_W3C_and_DNT_1_.pdf

George: companies they audit like Neilson or allbritton, cannot be members, they essentially regulate
... slide 6, types of measurement products they audit
... Allbritton on the list, a measurer of radio
... television, radio, print, interenet, outdoor are all a part
... on the left, have been approve and have the seal
... on the right, still going through all the standards to acheive the seal

<Chris_IAB> thanks justin_ !

George: slide 7, how MRC interacts with privacy
... Neilson recruits households to instal meters on households, they accumulate data, and they produce television ratings
... all of those homes have opted-in
... MRI, Allbritton, it happens in all companies that they have audited
... in the internet realm, you still have legacy (metered, opt-in process), but also have more passive ways to track
... track by using a cookie, what ads people are exposed to
... MRC is not a privacy policy organization
... standards of MRC do not talk about standards of privacy, not experts in that
... we do not set privacy focused standards
... audits mandate some form of retention of data, not driven by privacy
... driven by users of data being informed when errors are made

<jchester2> We should discuss the cross-platform assessment of users, such as via: http://www.measurementnow.net/support-the-mrc.html

George: standards require that if you make mistakes, you need to reformulate data, so data must be retained

<justin_> How long?

George: some companies say they cannot retain data for privacy purposes
... good example is click, if MRC says data must be retained for a year
... if company says we cannot retain it at all, MRC says you do not have to retain if they have a legitimate reason

<aleecia> That's cool

George: do not need to retain data that puts you at privacy difficulties

<justin_> Privacy policy > MRC retention standards.

<jchester2> The MRC system needs to be evaluated in terms of the data collection practices of the digital marketing industry.

<aleecia> So auditors do not require any retention period longer than the org has

George: consider organization privacy policies more important than MRC standards
... general want retention of measurement data for 1 year
... MRC is about quality of measurement, not privacy
... slide 8, types of things MRC deals with
... cell phones versus land line phones, how do you sample

<jmayer> Some time ago we debated whether MRC mandates data collection and retention despite privacy controls. Looks like we have a definitive answer.

George: how to incentive people to participate in surveys

<Chris_IAB> Yianni- to clarify for the record, George did not say that privacy policies are "more important" (but that's what you wrote) - he didn't use those words

George: slide 9 for new media

<jchester2> We should review: http://www.measurementnow.net/faqs.html

George: take an ad campaign tag it and see how many people were exposed to it
... summarized issue on right of the slide
... for user-centric most of it is opt-in
... common issues are for al organizations
... these are the areas we concentrate
... that is the general backgrond, do people have questions

Peter: going to ask questions first, then people can get on the queue

<aleecia> (wasn't ack'ed from before)

Peter: Audit function- someone bought a certain things and was it delivered?
... might have more like general market research, wat are race and age characteristics
... are some of these audits and others market research?

George: we audit media research
... do not answer general census data
... we audit a product that tracks or gains an understanding of media uses, what do people watch, listen on the radio
... what internet websites do they visit, what billboards do they see when driving to work

<justin_> Chris-IAB, He didn't say more important, but he did say that self-imposed retention limitations for privacy reasons trump the MRC's retention requirements.

<jchester2> +q

George: most of them are samples, standard- sample must represent population being measured
... we audit the controls around the measurement and methodology as well

Peter: timing - period that a measurement is in the field, a campaign, is that days, weeks, months?

George: it varies. television and radio are in periods
... could be a 6 or 7 day period or a 30 day period

Peter: survey around online?

George: in digital realm it is very different, the length of campaigns are determined by marketers
... example, marketing campaign to sell a car, start 2 months out
... track campaign for entire life cycle, can track every month, week, or daily
... it can be customized based on marketers demand
... A month or 2 months is on the long side of a campaign
... sale at target could be 2 days before the sale

<aleecia> This is highly informative

Jonathan: Had debates on the issue of whether MRC requires certain forms of data collection or retention
... rather they are general practices or give way to rules around consumer privacy

<hefferjr> it is not unusaly for online campaigns run for more than 4 months

<hefferjr> oops, unusual

Jonathan: just wanted to confirm that MRC follows that when privacy concerns conflict with collection and retention, privacy concerns trump ordinary business of tracking and retaining data

George: you are correct, mainly comes up in more passive tracking enviornment

<kulick> kulick is part of [Yahoo!]

<npdoty> right, in the active panel market research approach won't generally have a user opt-out conflict

George: in everyone, we say they can follow organizational privacy concern

Jeff Chester: can you talk about the 3MS? initiative?

scribe: can you talk about view of viewable impression?

George: very large topic, try to summarize
... 3MS was an initiative started by major trade association in media business
... wanted to do was try to make digital advertising enviornment more effective
... try to allign to make more measureable with other media measurement
... in television only count ads that are viewed
... because of technology implementation, there were no technology to determine whether someone actually saw the ad (below the fold)

<npdoty> this link jchester pointed out earlier is a helpful FAQ: http://www.measurementnow.net/faqs.html

George: people still paid for the ad, but the ad may have been served outside viewable space
... if you want to measure digital, you had to make viewable (needed the technology)
... people are using technics that they embed that determines whether ad is viewable
... industry made a recomendation that we change currency from served ads to viewable ads
... 3MS used a large consulting firm and lots of participants, and have turned over project to MRC
... MRC is taking viewable content and making it operable in ecosystem
... we are setting the standard of viewable, leading this now
... we are aligned with this concept that ads should be monitized when viewed
... another of 3MS how to do cross media standards

<JC> Not I

<Brooks> no audio problems here

<Walter> npdoty: it is probably just you

George: basically background on project, have to have inteligent about page that you have not had before

<Walter> it drops, but not in a very noticable way

<eberkower> audio has been fine for me

George: does not have any personal information about who is accessing page

<npdoty> the FAQ seemed to suggest that it did include data about the audience: "Digital GRPs will be based on viewable impressions and reflect age, gender and ethnicity demographics, with ability to add further demo and behavioral targeting."

Chris: IAB, question with regard to details of Jonathans question

<jchester2> Yes. thanks Nick!

Chris: talked about auditing, a little less on accrediting side
... Jonathan is refering to debate that when user opted out (DNT=1)

<jmayer> +q

Chris: Jonathan is talking about idea that we would not do any data collection on that user for any purposes

<jmayer> That's not true. I have never suggested Do Not Track would eliminate all data collection.

<justin_> Not "none" --- the Stanford/EFF proposal allowed for a fair amount of data collection.

Chris: you would shorten time of retention versus not collecting data at all and not being accountable in the market

<justin_> Chris_IAB, that is what *no one* is talking about.

George: generally you do not see organizational policy that we will not track at all, not what MRC runs into in practce
... we should limiting of tracking of certain types of information, personally identifiable information or historical records of how cookies interact with people
... policies that are focused on sensitive information and generally what comes up with data retention
... we do not see that we are tracking general ad impression, generally those are allowed to be tracked by privacy policy
... have never runned into that concern

<peterswire> special meaning to "raising pen"?

<npdoty> it might be hard to speculate, but I wonder if an organization has a privacy policy to drop data from a certain set of users (or some fraction of the data from those users), whether it would still be in compliance with MRC audit requirements

George: there is sensitive information (we audit cable organization- what you watch on tv can be sensitive)

<justin_> He wants to rebut Chris_IAB's mischaracterization of his position.

George: we respect stringent privacy policies for sensitive data

<Walter> peterswire: it means that Jonathan wants to interject a question

<Walter> can we let Jonathan finish?

Jonathan: step 1. One of the proposals in the group has not been to cease all data collection
... that collection aligns with how MRC sees more senstive data
... example, ad shows up on website, website can retain the fact that ad was displayed

<BerinSzoka> wow, Jonathan: maybe you could try just a little not to make this personal and accuse people of misrepresenting you? For example, you might say, "Excuse me, but I think I haven't made my point quite clear. Let me try again." That's how adults communicate

Jonathan: lets suppose all of that is allowed to be retained, but all other information about user cannot be retained

<peterswire> please keep comments focused on substance, online and in voice

Jonathan: if DNT was to go so far, would that impression information still be okay

<Brooks> Jonathan: what you suggest is not possible

Jonathan: no one has suggested that is off the table

<johnsimpson> q

<aleecia> could we get an answer to Jonathan's question?

<jmayer> Um, what happened to my question?

Peter: could you help me understand, financial audits

<johnsimpson> jonathan?what happened to answer to

Peter: is there another realm of people doing financial audits?

<Brooks> if you store granular data that includes discreet identifiers they are inhernently linkable

<Walter> indeed, I haven't heard an answer

<Walter> +q

George: yes, we do not measure financial information, we measure audience
... others do financial audits, did they get what they paid for

<aleecia> well, Jonathan's still in the queue: perhaps he can ask succinctly when it comes back around

George: Advertiser makes an investment of $100 million ad campaign, go to ad agency
... tell impression of each media type, then ad agency executes

Peter: who should we go to?

George: association for online advertising for companies that do that (do not remember the name)
... companies audit that the company spent $100 million, did they get the impression, should there be refunds (MRC does not do)

Brooks: okay to ask, what is the importance of those types of audits and the typical information that needs to be kept

<npdoty> we have ad association folks here; do they have a sense of what organization is in place for financial audit standards? are there other standards for us to be aware of?

Brooks: purchasing for specific locale need IP information

<jmayer> I have to run to class. Here's a recap of my question: If Do Not Track were to mean a company can collected impression data (e.g. ad X was shown on site Y at time Z) but cannot collect user-specific data (e.g. no unique IDs, no IP address), would that be OK? Nobody in the group has advocated anything so restrictive, but if I understood the previous comment, Do Not Track could go that far and still align with MRC rules.

George: there are traditional media companies that do auditing he previous mentioned

<Walter> jmayer: I'm going to rephrase your question anyway

George: in digital world, there are ad verification services

<justin_> DoubleVerify and the like . . .

George: paid to follow digital advertising and see if ad met certain terms and conditions
... it did not appear in harmful media enviornemnts (DIsney on a porn website)
... MRC does do audits of that sort, even wrote the standard
... for tracking of whether certain terms and conditions are met (ex. geo-location to appear in US)

Brook: when you do that type of audit, you need to retain things like IP address (show ad did not show up in RUssia)

George: that is correct

Aleecia: 3 questions
... first, are there any cases where you have required data retention for one years

Geroge: no, we have a standard for a year

Aleecia: we do not distinguish content like children data (senstitive data a part of )
... if we limiting data rentetion data for 6 weeks, would that be a problem?

George: it would be a severe problem for the industry, not a problem for me
... should recognize the difference between sensitive data and non-sensitive data

<Chris_IAB> Yianni, not a "server" problem, a "severe" problem

<Chris_IAB> for the record

<justin_> -q

<npdoty> do MRC standards/audits explain what they consider sensitive or not sensitive?

<Chris_IAB> Yianni, please note your typo above-- it's important for the record - thanks :)

Aleecia: if we decided to limit data (no IP adresss, no user id)

George: would not afffect auditing, but would hurt the system

<Chris_IAB> npdoty, thanks!

George: people would not believe in the value of the ad because there is no intellligence around it
... Not saying it has to be personal information, but they has to be intelligence around transaction to know that it has value

<jchester2> They will want to know about individuals and their behavior.

Aleecia: could have a count of this many people in this area code without having IP address

George: throwing out hypos, but not saying you need IP address.
... personally he does not feel they are not that sensitive

<BerinSzoka> @Yianni, shall I take over scribing?

<peterswire> given the work done by our next speaker, we are going to shift to that part after this

<susanisrael> yianni, i think george said he's not saying you DON'T need ip address

Yea, you can take over scribing

<npdoty> scribenick: BerinSzoka

<justin_> jchester2, I don't think he's saying they need to measure cross-site behavior on an individual basis. He's saying the individual information is useful in measuring each separate client.

<npdoty> George: for the example of search marketing ... stricter privacy polices, and I can audit to that policy

<npdoty> +1, thanks very much George!

OK, I'm taking over scribing now...

<Chris_IAB> thank you George

<phildpearce> Useful link - Re: ClickFraud or Impression fraud, I have seen IP + user-agent + referral used to detect valid clicks and valid impression here: http://www.adometry.com/publishers-ad-networks/click-forensics/index.php

<npdoty> http://www.w3.org/2011/tracking-protection/homomorphic.dnt.pdf

Khaled, Homomorphic Encryption

<npdoty> scribenick: BerinSzoka

Starting now Dr. Khaled El Emam, Canada Research Chair in Electronic Health Information CHEO Research Institute and University of Ottawa http://ehip.blogs.com/about.html

slides not available during call

<aleecia> To summarize so I remember this later: as per George, 1 year is max retention for their audits; they could audit if we capped all retention to 6 weeks; if we limited data retention or collection to aggregate data they could audit to that. However, George strongly notes this may not be a good idea for the industry: just because they can do the audits does not mean it's a good idea for the ecosystem. But, there are no barriers to whatever we want to do based o[CUT]

<aleecia> requirements. (If someone else thinks we had a different dialog, please set me straight)

Khaled: I'm focused on problem of understanding ad effectiveness, especially matching individuals who saw an ad online, then went to an offline store--linking the two events together using a user ID

<npdoty> slides are available -- http://www.w3.org/2011/tracking-protection/homomorphic.dnt.pdf -- though not everyone may have reviewed the FPF document -- http://www.w3.org/2011/tracking-protection/measuring.fpf.docx

Khaled: "Salting" hashing means adding some random values to a hash to prevent it from being reidentified

if the unique user id isn't a unique identifier, it's possible to do frequency attacks on hash values

3 concerns have been expressed about using hash values for matching

(frankly, this presentation being rather technical, I think it doesn't make sense to have a lawyer scribe it. can someone who knows this stuff better than me scribe this?)

<peterswire> any techies able to scribe?

3 different trust models when you have third parties involved

second kind of trust model is "honest but curious" (passive adversary)

we use this model in health care because we assume public health providers are honest but curious--won't deliberately attack data

if data is breached, it's not a risk because it's not possible to extract PII from breach data

seriously, folks, I'm not qualified to scribe this. could someone else please take over?

<susanisrael> aleecia, re your comment way earlier, i heard a little more nuance in what george said.

<npdoty> in the fully malicious case, the attacker may inject false data

<npdoty> scribenick: npdoty

Khaled: in terms of speed, matching algorithms can be scalable, but not all computations will work that way

<BerinSzoka> thanks, nick!

Khaled: homomorphic encryption is used in these secure, multi-party communications
... a party can count the sum of a few numbers without knowing the numbers themselves
... transform multiplications into sums, and vice versa

<susanisrael> noting that walt michel has joined me in the room listening to Khaled's presentation

a * b equivalent to encrypted version of a + b

Khaled: easier in the context of encryption
... if you're able to do addition and multiplication, able to do quite complex operations
... public key encryption
... two different keys for encryption and decryption
... randomized public key encryption
... add a different random value to the same message each time
... c1 and c2 are encryptions of the same data, but have a different result; this is different from hashing, which would return the same value on the same message
... an important property because it removes the risk of frequency attacks
... but decrypted we get the same original message

<Chris_IAB> detailed. understatement of year so far :)

<Chris_IAB> interesting stuff though :)

Khaled: (more detailed than you might have expected; explaining notation)
... [encrypted version of a plain text]
... [a] * [b] = [a + b]
... by multiplying two encrypted numbers you can get the sum of the original values
... [a]^b = [ab]
... taking an encrypted value and raising it to the power of b and send it back to you, you get the product of a and b
... deterministic matching between parties A and B
... the result is 0 if the numbers are the same and a large random number otherwise

<justin_> After this, I will want someone to tell me whether this allows companies to study users longitudinally while prohibiting them from ever tying the data set back to a user or device if they were strongly motivated to do so.

Khaled: a standard protocol for two parties to determine whether the value is the same without revealing to either party what the other's number is

<justin_> Setting aside the question of whether a collection of url streams over time is intrinsically identifying.

Khaled: the second party can't use frequency attacks to determine the value since the encrypted values are different (random public key encryption described above)
... sending the result back, once decrypted, reveals whether or not the value is the same
... Paillier (slow, and patented) or Exponential Elgamal (very fast)

<laurengelman> i am lost

Khaled: for determining whether values match, this is very efficient, and quick to encrypt/decrypt
... in a fully homomorphic scheme, you can do any number of operations, but not easily scalable and has problems of key management
... (Gentry), currently not performant

peterswire: what are the key advantages? (slide 20)

justin: ad networks that collect URL streams -- could hash that, but then could easily re-link those URLs to a single user
... hypothetically, could send those URLs to some trusted party to do analysis, but couldn't re-link it to a cookie or unique user ID they use
... is that what we could do with homomorphic encryption?

khaled: use case is linking two data sets with some user id, for example, between online and offline data
... could be generalized to the example of matching URLs
... data vault would generate the public keys and send to the different parties
... site would encrypt its data and send encrypted data to the other party (the offline retailer, say)
... retailer would do a comparison, but couldn't yet see the results
... able to do this efficiently for very large data sets
... retailer would send the comparison results back to the data vault
... and could then tell you which records matched
... can efficiently determine whether offline and online visitors were the same, without revealing to the retailer who visited the web site
... only attack is if the retailer, in this example, introduces false data (like a famous person's ID)
... would prohibit via contract and auditing; this is the malicious case
... used for fraud protection and health data
... I think it addresses all the problems previously raised with hashing
... no practical issues for performance, encryption can be done in the browser

peterswire: are there patent issues? is a license needed?

khaled: no, everything you would need is public. the "special sauce" is just for efficiency on large databases; these are all public techniques that have been around for years

justin: can you explain why the data vault is not trusted?

khaled: the data vault only gets match results, just 0s and random numbers, don't have access to any of the records

justin: for a single party, a web site wants to study whether they are return visitors, but wants to lose the ability to tie back to their own identifier

khaled: the topology would be different; would encrypt the data, go through a similar scheme, and use the data vault to decrypt the data in the end

<laurengelman> bye all. wishing you a productive meeting in Boston!

peterswire: thanks to Khaled for going through a lot in a very short time
... hope Justin and Khaled can follow up offline. if anyone can help translate those questions, let them know.
... gone through a lot today, hope these background topics are useful for Boston
... thanks to everybody

<scribe> scribe: yianni, npdoty

- DRAFT -

Tracking Protection Working Group teleconference

06 Feb 2013

Attendees

Contents

Media Ratings Council

Khaled, Homomorphic Encryption

Summary of Action Items

Scribe.perl diagnostic output