Tracking Protection Working Group Teleconference -- 20 Mar 2013

<trackbot> Date: 20 March 2013

<npdoty> eberkower, please see: http://www.w3.org/1998/12/bridge/info/name.php3

<eberkower> Nick, I frequently call from different numbers

<Marc_> (202) 347-7305 is Marc at NAI

<npdoty> eberkower, in that case, it would be great to learn the Zakim syntax, which refers just to the last four anonymized letters after you're called in

<fielding> npdoty, can you change the irc topic?

<fielding> yes

<peterswire> rob sherman -- work for you to scribe today?

Yes, dialing in now.

<npdoty> scribenick: robsherman

npdoty: Update on F2f.

… F2F hosted at Apple in Sunnyvale — will send details to the list.

… 2.5 days starting May 6.

peterswire: Thanks to Nick and to David Singer.

… Upcoming discussion of UI and user education. This is the subject of some controversy within the group, and I've had some discussions about this.

… Tentative date is 4/10 to do a call on the topic. A variety of people have wanted to raise UI-related issues. The charter says we can't specify particular UI, so the idea is to give people time to consider how to have constructive discussions.

<efelten> Is this about user interface for UAs only, or for all parties?

… If you have proposals around UI, please circulate them by the end of March.

<efelten> +q

… Comments or questions on this?

efelten: Is this about UI for UAs only, or about UAs for all parties?

peterswire: What does "all parties" mean?

efelten: Including server-side UI.

<rigo> +1 to ed, this is interface for exception mechanism

peterswire: No view on this.

<justin> Same as browser

<dsinger> I'd like that on the table also; we should decide where the line is generally...

<rigo> I would include unless the browser makers scream :)

<npdoty> seems like the same (still limited) scope, to me

… My inclination is that we should include server-side UI as a part of this discussion.

<justin> We have previously agreed as a group that prescriptiveness on consent to turn on DNT is tied to consent for exceptions, etc.

<justin> Same level on prescriptiveness is appropriate.

… For compliance spec, want to focus on dependencies within the document. People say, "My ability to agree on x depends on resolution of y."

… My sense from talking to people is that getting people to agree that something is "closed" is an obstacle. People may not have anything more to say on a particular issue "right now" but might want to preserve the ability to object to the inclusion of a particular concept.

… This level of dependency happens more frequently than other standards.

…. For compliance spec only, propose that we use "PENDING REVIEW" to mean "we have a stable text that is more or less settled, no other proposal on the table, would require an affirmative proposal with meaningful support for the issue to be brought back to discussion"

… Looks like there is nothing PENDING REVIEW right now on Compliance.

… The down side of this is that one big benefit in the W3C context is that getting things "CLOSED" helps, and people know what that means.

… But people may be more willing to put issues into the "PENDING REVIEW" parking lot than to "CLOSE" issues with open dependencies.

… Any objections or lack of clarity on this?

fielding: I don't understand the goal of this. If you make "PENDING REVIEW

… the new CLOSED, then when the editors add text to the Editors Draft, which has not yet been reviewed by the Working Group, what do we call it?

peterswire: One difference from the current state is that I understand CLOSED as meaning that it takes new information not previously available to the group as a criterion to reopen.

… Is that correct?

fielding: Yes, but "new information" could be "new text" if the "new text" is substantially different from the closed text.

<dsinger> seems like we'll have pending-review-A (into the draft, people haven't read it, needs flagging in the document) and pending-review-B (we're tentatively OK, flag in the document comes out).

peterswire: Two reactions. (1) W3C nomenclature for CLOSED is not well understood outside of W3C, and I've heard people be hesitant to allow something to be CLOSED because they will be seen to have signed off on it as an acceptable thing in the standard.

… Ex: we've been discussing multiple first parties. We may polish the language to the point that it's as polished as it is going to get, but peoples' view on whether to accept it may depend on whether other language that we haven't resolved is included in the spec.

<rigo> I think chairs can always re-open an issue. "Closed" for me just means you have to convince the chairs to re-open

… I am seeking some way to avoid this problem. We need language to say, "We understand that what goes in at the end is going to depend on interdependencies."

<dsinger> we can always open new issues, and we would need to, if the document is no longer consistent...

fielding: In terms of the list of categories we have for issues, we could configure it and create a new category between PENDING REVIEW and CLOSED.

<fielding> http://www.w3.org/2011/tracking-protection/track/options

peterswire: That would address the concern.

<rigo> +1 to fielding

<dsinger> so, how do we edit <http://www.w3.org/2011/tracking-protection/track/options>?

… I'll amend my suggestion to create a new category. I'll come up to the group by next week with a specific proposal that would avoid "CLOSED" but shows stability.

<fielding> maybe stable or blocked

<npdoty> dsinger, fielding, I think it'll be up to me to figure that out :)

… [reviews agenda]

<fielding> npdoty, yep

<dsinger> to npdoty: I have emailed the mighty dino asking him.

… So let's first turn to audience measurement. This is a more detailed proposal than we've had before.

<npdoty> If you're calling from (408), please let us know in IRC, or you may be dropped from the call.

… Since this came out just before the meeting, this is an initial opportunity to understand the next but we are not seeking to reach a conclusion.

<jchester2> can we have link to the text?

dstark: Since everyone is familiar with the previous version that we'd submitted, comment we'd received is to better distinguish between normative and non-normative.

… We've added text around the idea that a third party would be subject to an independent certification process.

<dsinger> I assume this is <http://www.w3.org/mid/CD6E4A11.1D3A2%25kathy@esomar.org>?

<justin> jchester2, link: http://lists.w3.org/Archives/Public/public-tracking/2013Mar/att-0202/Market_Research___Audience_Measurement.pdf

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0200.html

<jchester2> thanks

… Basic requirements: pseudonym, not shared without deidentification, deleted/deidentified as early as possible, in jursidctions where there is an MRC or similar body, cannot retain data longer than 53 weeks.

peterswire: Is independent certification widely used today?

dstark: MRC exists. At ESOMAR, we're thinking about the fact that market research firms need a transparent way to communicate with users about how we protect data, etc.

… In the US, we have the DAA program and the AdChoices icon.

… That's what we're looking toward doing for the market research industry.

… But because we're just discussing it now, it's hard to get into specifics now.

<jchester2> I haven't reviewed yet. But question. Will this research be used in any way for the user targeting function, inc. lookalike modeling?

peterswire: Have large companies previously talked about this publicly, or is this just getting started?

dstark: Just discussing now. It's hard to get companies to understand the initiative and the need for it, but we're hopeful about a public announcement in a few months.

peterswire: When you say "de-identified," do you understand that the same way that we're using the term elsewhere in the draft?

dstark: Yes.

peterswire: We haven't used the term "pseudonymized" in this document before. How would you define this?

<npdoty> right, we've avoided getting into "pseudonymous" (and more importantly, "anonymous") -- that would require a new definition, yeah?

dstark: The presentation we had about the German telemedia law made the point that pseudonymized is a waystation between the "identifiable" state and the "de-identified" state.

<justin> We would certainly need to define "pseudonymous"

<justin> Something along the lines of "tied to a device but not traditional PII" I think is what they're going for.

… It's a way for organizations to work with data while it is being aggregated but at the same time minimizing risk of harm to individuals.

peterswire: That's helpful. When the text says "must be pseudonymized," do you envision that would happen instantaneously? In a short time?

<justin> The raw data has to be pseudonymous.

… Do you mean that you can't do any measurement work until you pseudonymize?

Richard_comScore: The ID that is assigned to the measurement is pseudonymized before statistical work happens.

peterswire: Next question is around the permission to collect, retain, and use data for measurement where it is used to calibrate or otherwise support data from opt-in panels.

<kulick> aakk is kulick... sorry

… I understand this to mean that, to qualify for the permitted use, this is supplementary to opt-in panels. Basically, the permitted use is broad enough to support opt-in panels but would not be permitted if not connected to opt-in panels.

<efelten> So you're required to have opt-in panels if you want to take advantage of this exception?

<justin> efelten, yes

dstark: Correct. This is a significant change from the previous proposal, which used opt-in panels as an example but did not limit scope.

<efelten> You're required to collect more data? About identifiable individuals?

<jchester2> +q

peterswire: Could you give us a sense of who participated in the drafting of your text?

dstark: WPP, ESOMAR, comScore, Nielsen, plus me.

jchester: Interesting proposal. Glad to see movement on the part of the research industry. I haven't reviewed the text, but can you say whether the data will be used to target individuals?

<justin> Target no, model yes.

dstark: When companies commission research, the learnings are applied to a broader population. We haven't historically been about 1:1 targeting. But we're like the census: we aggregate data and report it in demographic buckets.

… Someone might take the demographic data and say, "We think this is useful information, and we're going to use these findings for future advertising," that's how a company may use research. But the intent is not to collect data from an individual and use the data to market to them directly.

jchester: I need to look at what ESOMAR is doing, but many members do individual targeting.

peterswire: "Must not be used for any other independent purpose" is part of the language here. DAA similarly says that data collected "shall not be used for targeting back to individuals" or similar language.

<moneill2> npdoty, I dont get any reply on the telephone number

<JC> +q

… Maybe we could solve Jeff's concern by saying "may not be used for targeting back to individuals."

dstark: That sounds good.

peterswire: We should consider using the text in the DAA Principles to link into something that DAA members have already agreed to be onboard for.

<Zakim> npdoty, you wanted to ask about additional opt-out

npdoty: There seems to still be a requirement that, if you use this permitted use, you provide some way for the user to opt out. Why does this distinction matter? Is it necessary?

<Yianni> DAA language: "Thus, the term “market research” does not include sales, promotional, or marketing activities directed at a specific computer or device."

dstark: Research firms today do offer an opt-out today. What we're talking about is, on an industry-wide basis, creating a web platform that would provide greater transparency.

<justin> It wouldn't be industry wide, it would be industry organzation-wide.

… Problem for industry is that if opt-out rates get high, then we have a significant non-response bias.

npdoty: If you think it's valuable for opt-out rate to be low, why have one at all?

dstark: We think that if we provide a broader platform that educates people about how research works, why it's important, how data will be used, you'd want to have it be an informed decision.

johnsimpson: I'm puzzled by this because we thought that DNT was intended to be a persistent opt-out.

<npdoty> maybe that gets to the user education point; dstark, does that imply that you'd be fine with DNT as an opt-out if users were provided additional context or information?

<rigo> I see: DNT works too good as an opt-out, so it wrecks our measurements and calibration. hmmm

… Under the current proposal, if you have de-identified data, can't you do what's necessary for research?

dstark: We need raw data to analyze and aggregate data — to make sense of it before we de-identify it.

<dsinger> but that can be covered under the short-term raw data exception, no?

<npdoty> dsinger, the request is for the data to be kept for 53 weeks

<rigo> dsinger: they want 53 weeks, which is not a short period of time :)

<dsinger> that's not short term, ok

<rigo> identified in a store to show that the calibration was ok

<npdoty> in fact, we've already considered that regarding DAA opt-out cookies

<jchester2> Not sure that the opt-out as presently designed is effective at all.

peterswire: How the specific opt-out that already exists interacts with DNT and the permitted use is a new issue. It's possible as discussion goes forward that they might work together in different ways.

<npdoty> ... WileyS provided text on what to do when you have a DNT header and a cookie both

… Sounds like this question raises some puzzlement.

<rigo> rvaneijk: try again

JC: jchester, if research showed that people searching for beer also liked to buy t-shirts, could we show t-shirt ads to people who search for beer?

<npdoty> ... with the understanding that DNT:1 without an opt-out cookie should act as an opt-out

jchester: Using market research?

JC: Yes.

… If Person A has DNT on and Person B has DNT off.

jchester: I would say that if Person A has DNT on then you cannot use information to advertise to Person B, even if Person B has DNT off.

<Brooks> So is the question - can you do a look alike to someone who has DNT:1 on?

rigo: Two points. (1) To dstark, do you suspect that DNT might be too successful for the system to work? You're going for a system that says, "We have a permitted use, but we allow an opt-out." Seems like a logic break.

… (2) How does market research organize the opt-out or opt-in in the offline world where there's no method for passive monitoring?

rigo: You're saying, "By using a permitted use, we don't accept DNT as a valid opt-out mechanism."

<susanisrael> Note that they are talking about audience measurement, centered around measuring the viewing of specific pieces of content, as opposed to building profiles of individuals and their activities over a period of time

dstark: This ties in with the browser defaults question. If we have to honor default-on, that alone would substantially undermine the integrity of research.

<justin> If there was any hard data on any of this, it would be useful to share with the group.

peterswire: If DNT is <5%, you're less worried. If it turns out to be big, then it's a problem. Right?

dstark: Yes.

rigo: So are you saying that if your opt-out system is too successful because it's usable, you would make it less usable?

<npdoty> speculatively, what fraction of your users clear cookies or block cookies at some point? doesn't that affect calibration?

dstark: If someone visited a platform to exercise choice about market research, they would be able to make an informed choice. But this platform hasn't been built, so it's too early to speculate about how much or little people would use this.

<fielding> Rigo, don't be argumentative about irrelevant points

<dsinger> but if your platform were popular as an opt-out, you'd have the same problem.

peterswire: To wrap this up, the proposal has a number of new proposals from the industry. There clearly are a lot of questions about this, so we'll be following up on this.

… Turning back to our previous discussion about CLOSED, PENDING REVIEW, etc., we've been working with the editors to come up with a new comprehensive draft that could be reviewed by the group. Wanted to give people a heads up that this is coming and that we would like to be really clear about status of specific text.

… Next week, we'll have a presentation for the last 30 minutes of the call on financial auditing.

TPE Issues

<susanisrael> Rigo, I'm not sure why, if DNT is not yet in effect, it is an issue that DNT has not been the way that they have implemented opt out up to now?

schunter: Peter's email included some issues I'd like to discuss.

<dsinger> issue-112?

<trackbot> ISSUE-112 -- How are sub-domains handled for site-specific exceptions? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/112

… ISSUE-112. In exception API, we express desire to use wildcards and similar mechanisms to express scope of an exception.

… adrianba said that he could use cookie matching engine. I don't know that we have an action to translate this into proposed text.

dsinger: We do have ACTION-355 on this.

<dsinger> action-355?

<trackbot> ACTION-355 -- David Singer to propose changes to the spec to reflect our tentative agreement on cookie-like behavior -- due 2013-01-28 -- CLOSED

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/355

<rigo> susanisrael, I just wanted to know why they fear that DNT will be too successful and why their own system will not be

s/???/355/

<eberkower> Is there a problem with the audio

<eberkower> ?

dsinger: Reviewing these actions to understand the history. This action shouldn't be CLOSED.

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0071.html

<npdoty> adrianba dsinger is that the text to add to the spec?

schunter: Let's just remind you that we need to put text in the spec.

dsinger: I'll review this. Does adrianba have input?

<rigo> susanisrael, because we don't know yet how DNT will develop. So saying DNT will be too successful is a similar speculation than saying the ESOMAR opt-out will be not successful enough

adrianba: I don't recall that being a precise action. I think we agreed on what the text should be but I'm happy to take an action to draft some specific text.

<rigo> +1 to code re-use

schunter: dsinger and adrianba to discuss this, and adrianba will do a revision.

<npdoty> ACTION: adrian to propose specific text on cookie-like exceptions [recorded in http://www.w3.org/2013/03/20-dnt-minutes.html#action01]

<trackbot> Created ACTION-385 - Propose specific text on cookie-like exceptions [on Adrian Bateman - due 2013-03-27].

<npdoty> action-385: this text from dsinger might be relevant: http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0071.html

<trackbot> Notes added to ACTION-385 Propose specific text on cookie-like exceptions.

adrianba: Will summarize options and status to the list as a part of this proposal.

schunter: Don't expect this to be controversial — just debugging the API.

<adrianba> for example the spec still refers to navigator.doNotTrack

<adrianba> instead of window.doNotTrack

ISSUE-163?

<trackbot> ISSUE-163 -- How in the spec should we ensure user agents don't twist a user preference one way or another? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/163

<dsinger> action-366?

<trackbot> ACTION-366 -- David Singer to draft text on another non-compliant/ignoring the expressed preference (by suggestion of WileyS) -- due 2013-02-20 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/366

schunter: During F2F, we discussed ACTION-366. dsinger, can you summarize?

<fielding> I don't think we intended to use ! for that -- a new TSV instead

<npdoty> I thought fielding intended "!" to be used for "beta" rather than "I refuse"

dsinger: I suggested that if you're unwilling or unable to listen to a user's preference, use the "!" status to convey that that's happening and provide a link in the well-known resource about what's happening and how the user can correct it.

<justin> Agree with @npdoty --- there are two very different use cases here.

<adrianba> David's proposal -> http://lists.w3.org/Archives/Public/public-tracking/2013Feb/0174.html

<susanisrael> Rigo, I understand what you are saying as a going forward principle, but the existing opt-out was in place before the DNT effort began.

… No idea whether you are compliant under these circumstances.

<Wileys> @Nick, that is where we started but it is now being suggested to be a multi-purpose signal

… For example, if you have a court order requiring tracking, you'd be compliant with the standard but would be tracking because you have to comply with your legal obligation.

fielding: We weren't proposing "!". David's proposal was "l".

<Wileys> Roy, could we lump them together or do you feel they should be separate?

<Wileys> Roy, nevermind - so a new signal is being requested

… Do we need to combine them or can we lump them together?

<rigo> susanisrael, there were many opt-outs in place long before this effort began. It is one thing to say: "We do not honor DNT and do only our own" and saying "we want an exception in DNT, so we do claim to do DNT, but we don't"

dsinger: "I'm under construction" is fundamentally different from "I'm not able or willing to listen to your preference." Goal is to promote transparency.

<Wileys> David, I agree - a separate signal is appropriate with a required resource link to explain the situation to the user

<Wileys> John, yes.

johnsimpson: Is this intended to cover a case where the server has decided to disregard a DNT:1 signal for a particular browser? If so, what would happen?

<justin> That would be up to the user agent.

<fielding> This is proposed as "L" in http://lists.w3.org/Archives/Public/public-tracking/2013Feb/0174.html

<susanisrael> rigo, i'm not sure i understand them to be saying that but happy to discuss offline.

<dstark> Thank you, all, for your questions and input on audience measurement research and ESOMAR's revised text. We appreciate your feedback and will take it into account. Unfortunately, I have to jump off now. Regards, David Stark

<npdoty> thanks, dstark!

<rigo> susan, good idea to discuss that offline

dsinger: That's one possibility. Browser would notice "not listening," and there would be a mandatory link to a page that explains why. In this example, the page would say, "You're using a UA that I don't feel like I can listen to. If you want your DNT:1 preference to be respected, you should use a different UA."

… Not expressing a view on whether that is a good idea. But I am saying that if that is happening there should be transparency about it.

<dsinger> "The conformance of the not-listening response is indeterminate, depending on the reason.

<dsinger> "

npdoty: Do we intend for this to be a "compliant" or "non-compliant" signal? There are some cases — say, legal obligation — where you would be compliant but still retain data in an exceptional way.

dsinger: I think it's impossible to say whether you're "compliant" under these circumstances because it depends on the specific circumstances.

<justin> Many jurisdictions would probably prohibit a transparent signal . . .

npdoty: We're assuming that "1" and "3" mean "compliant." Does "l" mean the same thing?

<dsinger> …running away, sorry

schunter: "1" and "3" say "compliant and honoring signal." "l" means "did not honor the signal" and does not express a position with regard to compliance.

<Marc_> I honestly don't understand what we mean by "not listening" - disregarding?

… This is purely a transparency mechanism for the user.

<justin> L is just "no." I think a site should say "L" if they're required to maintain by a court order (?!), but they could still be technically compliant if they were ordered by govt not to send the signal.

dwainberg: This seems to be getting really complicated with so many permutations. Could we say that if the server is doing anything other than complying with the spec, they would respond with only a policy link that describes what they are doing or not doing and why?

<justin> marc_, right, L is "I'm disregarding the signal."

<npdoty> Marc, I believe the suggestion is to indicate to the user when a site isn't complying with the expressed preference

<fielding> we could make it a "D" instead ;-)

<npdoty> to dwainberg's point, do we need it to be distinct from "!", even if conceptually they're different?

rigo: I think this signal is needed because you could have multiple valid reasons, and we can either be transparent about this or not tell the user. I prefer to be transparent.

<npdoty> or if there are cases where it makes a difference to the user/user agent, then we should keep them separate

… I think the explanation should be optional. If we make it mandatory then we create a new URI for more legal text.

<Marc_> Is this different than "I do not honor DNT:1"?

<justin> Marc_, it's a way to message that on a granular basis.

<npdoty> Marc_, I think it does imply "I do not honor this DNT:1"

schunter: My sense is that most people are okay with this signal, even if it can be used to reject certain UAs.

<dsinger__> I am not listening and won't tell you why?

<Marc_> This is optional or required? It's a "may?"

fielding: I suggest "D" for "disregard" rather than "L" for "not listening" because it's a weird double negative.

<dsinger__> IF you ignore me you MUST tell me so and why...

schunter: Agree.

<justin> marc_, it's mandatory if you're disregarding a signal

<johnsimpson> D makes sense. Do we still have the "!"

<fielding> yes

… Can fielding add text on this to the spec?

<justin> Indifferent on whether explanation should be required.

ISSUE-137?

<trackbot> ISSUE-137 -- Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s) -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/137

<npdoty> well, if you're replying with D/L, you're already non-compliant, right? so additional requirements may not mean much

<npdoty> for example, you could just reply with no Tk: header

schunter: On ISSUE-137, we've had a longstanding disagreement about whether or not we need a "service provider" singal.

… David has suggested that this is no longer relevant.

<dsinger__> Compliant to compliance spec and conformant to protocol are different

<npdoty> ACTION: fielding to add disregard/"D" response value to TPE draft [recorded in http://www.w3.org/2013/03/20-dnt-minutes.html#action02]

<trackbot> Created ACTION-386 - Add disregard/"D" response value to TPE draft [on Roy Fielding - due 2013-03-27].

dsinger: I read the text and did not have a concern.

<justin> @npdoty, a site could maintain that they are compliant because the signal did not reflect user intent. However, this signal is necessary for accountability and transparency.

… We can eliminate the "service provider" flag. It's addressed in what's currently called the "first party array" but would be changed to "data controller array."

schunter: Any contrary views?

<efelten> I think the people with the strongest feelings in favor of transparency here are not on the call.

<dsinger__> My only question on 137 is whether we need the examples somewhere?

<npdoty> justin, I don't think they're compliant in any case when they're not responding to DNT:1

… aleecia was a proponent of having a service provider flag.

<dsinger__> She had this text for review before the group did

<justin> @npdoty, It's an open question in the text.

<johnsimpson> Where is the text now?

<fielding> My point was that a single letter "s" doesn't add transparency in any meaningful way, whereas the solution in TPE does.

ISSUE-164?

<trackbot> ISSUE-164 -- To what extent should the "same-party" attribute of tracking status resource be required -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/164

<dsinger__> My email confirms Roy.

schunter: Rigo proposed text.

<npdoty> ACTION: aleecia to review David Singer's most recent suggestion on service provider flag to see if it addresses the concern (with jmayer?) [recorded in http://www.w3.org/2013/03/20-dnt-minutes.html#action03]

<trackbot> Created ACTION-387 - Review David Singer's most recent suggestion on service provider flag to see if it addresses the concern (with jmayer?) [on Aleecia McDonald - due 2013-03-27].

… You explained why "should" is the right approach for the same-party attribute.

<schunter> hello

<rigo> action-258?

<trackbot> ACTION-258 -- Rigo Wenning to propose 'should' for same-party and why -- due 2012-12-12 -- CLOSED

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/258

<rigo> http://lists.w3.org/Archives/Public/public-tracking/2013Jan/0093.html

rigo: [reads proposed text]

… The only difference is changing "may" into "should."

… You don't have to declare same-party, but if you don't then the first party is the only one that can claim first-party status.

<fielding> I am opposed to making it a SHOULD because it is not required for interop and would be a burden on implementors when there is no actual usage in practice. If it turns out to be useful (browsers are coded to use the array for verification), then that alone is sufficient to encourage sites to provide the array.

<npdoty> "optional" and "should" are incompatible terms, aren't they? (or does "should" correctly note that the member is not "mandatory" and therefore "optional"?)

… adrianba says there is no plan to implement this. Tricky to propose wording that may not be implemented. One compromise is to remain with the old text and add non-normative text encouraging browsers to consider other parties as third parties unless they're in the same-party element.

schunter: One alternative is to require parties to express whether they are following first or third party obligations.

… By having same-party attribute, you can identify other elements that belong to you, which will make browsers not suspicious if they see other elements claiming first-party status.

adrianba: I'm okay with including text to encourage sites to consider providing the information in the well-known resource. I don't think a requirement to encourage browsers do anything. Everyday-use browsers won't be making any judgment about this.

… Ultimately, this information will be used for research, some form of auditing, so up to site owners to make a judgment about whether consequences of including or not including the information justifies the cost.

… So I am okay with text talking about the value of including the information, just not a requirement that people do it.

fielding: Same comment as adrianba on the server side. If this is a useful resource, servers will provide the information. It isn't necessary for interoperability so we shouldn't make it a "should."

… My experience is that nobody will be using an actively verifying browser.

… I'd like to minimize the burden of complying with something that will never actually be deployed.

rigo: Interesting. If nobody is implementing the tracking status, that undermines legal foundation of DNT.

… Why have the tracking status resource in the first place if nobody is interested?

<adrianba> +1 to what roy said

fielding: I brought that up originally. Maybe only one person uses a verifying browser, and it's useful to that person. But I don't think normal people will use this.

rigo: So it is clear to me that if the browser isn't verifying anything, then it is not better than browsers that just spawn DNT:1 headers. It's not a communication mechanism in that case. Why can you ignore default DNT? If it disregards status, then it will only react with exceptions, which turns into a normal cookie store.

fielding: This isn't about whether the communications happen, or whether the server makes a commitment. This is just about what additional information server may, should, or will provide to satisfy a verifying browser that may never exist.

… If we require that the server provide information that is only ever used by a regulator, we are creating a huge cost for something a regulator would be able to determine on their own, without an additional protocol.

<tlr> My recommendation: Specify the feature, go experiment with it, and see what happens around LC or CR.

… If I am wrong about this, and there is a mass-market browser that does verifying, then sites are naturally encouraged to provide more information for that browser.

<npdoty> I think dsinger has already written the non-normative text expressing some reasons a server may be interested

… Just because you can use an active verification browser, and because the protocol can support it, does not mean we should burden implementations with fully supporting it.

rigo: I can provide non-normative text that describes this use case.

… If Adrian sends a message saying "I'm the same party" and I consider myself the same party, I could just store an exception.

<fielding> Yes, I was responding to the agenda item … I have not seen the non-normative text yet so I would expect that might be okay if it is clear that active verification is not required of browsers.

… This is totally different from that.

<adrianba> the exception API requires to be done at the point of consent - not when the site feels like it

… Using exception mechanism to solve same-party problem is not a good idea.

schunter: Rigo should propose non-normative text on this.

<fielding> it makes a good use case

… Sympathetic to not requiring it. If no browser looks at this field, no consequence to not providing it. If browsers start looking at it, sites will do so because they will have consequences for not.

… Okay with everyone?

<adrianba> +1

<npdoty> ACTION: rigo to draft non-normative text for why it's useful for a server to provide same-party members [recorded in http://www.w3.org/2013/03/20-dnt-minutes.html#action04]

<trackbot> Created ACTION-388 - Draft non-normative text for why it's useful for a server to provide same-party members [on Rigo Wenning - due 2013-03-27].

… I see potential that user agents and users are confused by the same entity that has multiple independent URLs.

<npdoty> action-388: you may want to check with dsinger on action-317

<trackbot> Notes added to ACTION-388 Draft non-normative text for why it's useful for a server to provide same-party members.

Next week

peterswire: Next week, last half-hour will have a financial auditing presentation.

<johnsimpson> Can we please recap any details on next F2F?

… Beyond that, I don't have other details. Pushing to get text finalized by Friday or Monday.

<npdoty> johnsimpson, I'm sending email to the group today

<johnsimpson> thanks, Nick

<johnsimpson> Thank you

<Wileys> Address and hotels coming out soon?

… [recaps F2F arrangements, to be sent to mailing list today]

<phildpearce> Suggestion: Could /crossdomain.xml for sharing "same-party" status be used as a parallel example?

<phildpearce> thanks

<phildpearce> Question: would browsers running in "Verification/Regulator mode" lead to browsers cloaking? (e.g. different content displayed to "Verification mode" vs normal browser - same as GoogleBot SEO cloaking).

- DRAFT -

Tracking Protection Working Group Teleconference

20 Mar 2013

Attendees

Contents

TPE Issues

Next week

Summary of Action Items

Scribe.perl diagnostic output