Tracking Protection Working Group Teleconference -- 10 Apr 2013

<trackbot> Date: 10 April 2013

<peterswire> any volunteers for scribing, such as the first half?

<npdoty> scribenick: LMastria_DAA

<Chris_IAB> Just joined via a private number

discussion re UI did not have issues ... Peter apologuzed and soon to be issued w numbers by Nick Doty

Chapell proposal re user education = 1st item on agenda...waiting for Matthias b/c proposal is a confluence w TPE

<dsinger> action-373?

<trackbot> ACTION-373 -- Aleecia McDonald to propose text prohibiting data append (because it requires sharing, or otherwise; with jchester) -- due 2013-03-20 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/373

Swire moving to append? b/c wanting to wait for MAtthias

so, now moving to issue 373

Data Append

much of discussion came to a subset of categories for data append

<jchester2> where is Yianni's memo?

1st party operating as a 3rd party...asking FB (rob sherman) to talk about bare bones language

<npdoty> background memo on append: http://lists.w3.org/Archives/Public/public-tracking/2013Apr/0070.html

<jchester2> thanks, Nick

Chris Pedigo not avail right now, so moving along

ok to review white pages and other material

<Wileys> Disagree with this approach as it can't be applied in real-time. This approach requires the 1st party store a user's DNT signal in the online world for application in the offline world. This is FAR outside of the scope of the DNT.

John Simpson: should not include 3rd party data

<Chris_IAB> if it's out of scope, then it's out of scope-- not prohibited

J Chester: targeting should be prohibited

<Wileys> +q

<schunter1> What are concrete examples?

<npdoty> John Simpson: accept a distinction between online and offline; if the data is out of band, not a problem

Mejia: out of scope clarification being sought .... is something prohibited or out of scope?

<Mike_Zaneis> Agree with Shane's technical point. On a broader point, we agreed that 1st party activities should generally be out of scope of the DNT standard. I would oppose this provision.

<npdoty> I thought maybe John Simpson and Chris Mejia are agreeing?

<schunter1> Would this be an example: The site gets my IP, determines that I am in Darmstadt and pulls 3rd party data on Darmstadt Weather?

Swire: if we prohibit something out of scope, does not seem to make sense

<Wileys> There is a queue John

Simpson: 1st party cannot bring data from outside 1st party transaction

<npdoty> John Simpson: wouldn't try to prohibit combining data like from White Pages and being used offline, but would prohibit its use *during* an online transaction

Mejia: is scope to collection/use of online data?

J Chester: are we talking onlinbe context only?

Swire: turn to shane, but has heard this issue before re using data for online ads

Shane: agrees to out of scope concept

<jchester2> Lou. Sorry. Is this a question for me or are you scribing?

<Chris_IAB> Lou is scribing

<moneill2> +q

<jchester2> Let's discuss the role of cookie syncing and other applications regarding append

<dsinger> zakiom, who is making noise?

Shane: offline...we don;t know the signal of the offline data

<efelten> Discussion of what is in/out of scope might benefit from consulting the group's charter, which defines the scope.

<jchester2> it's not just real-time application only. we are calling for a permanent status unless otherwise notified.

<npdoty> WileyS, would you also imagine that it covers data previously collected by a third-party with a DNT:1 signal? (doesn't have to be real-time append)

<Wileys> Nick,

Swire: Shane asks a productive question of John and Jeff re data append

<Wileys> Nick, we already agreed that DNT signals wouldn't require historical purges - although a 1st party may choose to do so

Jeff Chester: 3rd party indicates that it received DNT signal

still has to be worked out

<npdoty> WileyS, right, I just mean data that was collected by a third-party under a DNT:1 signal couldn't be shared later (much as it couldn't be shared in real-time)

<Wileys> Nick, agreed

Chapell: 2 different uses are being described ... 1st party appends in a non-online scenario...2nd: at time user vists large publisher, checks w 3rd parties to bring more data to reg process. clarify?

Swire: Shane...re scenario 2...if DNT signal is obeyed, then applies

<npdoty> wait, but if I connect to a first party, and the first party makes a server-side request to a third-party to match up content customization data about that customer, the third party *isn't* receiving a DNT:1 signal from the user (because they don't communicate directly)

<Wileys> You don't need a matching key - can pass in real-time via a web beacon

<Chris_IAB> to be clear, you couldn't use an IP address to link data together RELIABLY - ip address is more like a zip code than a specific address

<peterswire> is Matthas on the call now?

<peterswire> close q

Mike o'Neill: need an identifier to link data together, possibly pass data w/o signal (out of band - ajax, etc)...

<Chris_IAB> IP address is not a unique identifier

<Walter> Chris_IAB: not reliable enough for a criminal prosecution, but often > 90% reliable

<Chris_IAB> Walter, my research does not concur with 90% reliability.

Robsherman: apologies for late...2 points: obliigations on 1st parties = a long settled issue and reopning may be challenging...it is not append

<Chris_IAB> for example, I'm at a hotel right now, sharing the same exact IP address with about 500 other users I'd guess

Robsherman: language sweeps too broadly.

<jchester2> Rob: Explain further your example. Please

RobSherman: taggings on FB would be unintended consequence and there are many more

<Chris_IAB> the only thing I share with the 499 other guests, other than my IP address, is that we are all staying at a Hilton hotel-- but that's it

<npdoty> I didn't see that implication, robsherman, that might be worth offline explanation

<vincent> Chris_IAB, true but you can clearly dissociate cases where there are 500 poeple behind an IP address and cases where there is only 1 person

Swire: does DNT1 blocks appends in scenario mentioned by Shane...a long way from consensus on this

<npdoty> robsherman: would be re-opening a closed issue, might require fundamentally rethinking the spec

<Chris_IAB> vincent, it is POSSIBLE to do that, I agree, but it represents an edge case for RELIABLY identifying a unique user, not the norm-- industry does not use IP address (alone) to identify a unique user (for frequency capping, for example), because it is not at all reliable a proxy

Simpson: clarifying question: a lack of consensus re scenario 2 (realtime append)

<Chris_IAB> so let's clearly differentiate-- ad industry doesn't do this-- we don't use IP address as a proxy for a unique, because it's highly unreliable in that respect

Swire: trying to clarify by moving to a list of issues

<Walter> Chris_IAB: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp58_en.pdf

<Walter> anyway, sadly I have to drop out

Item #3 on agenda (UI) is now up

User Education and User Interface

<Chris_IAB> Walter, I get that they got this wrong in Europe :) (my POV of course)

<vincent> Chris_IAB, don't use it or don't use it *alone* ?

<Walter> Chris_IAB: I used to think that too, but have changed my opinion. But have to run now.

Swire: unclear how much this is TPE or Compliance spec...perhaps a convergence of the two

Look att he 2 proposals and review

Alan Chappll goes, then Adrian

<Chris_IAB> vincent and walter, happy to take this discussion off-line if you like (please ping me at my email address)-- for now, I'd like to hear the current proposal

Chapell: goal=set guidelines 1: decision to ste DNT is a maeningful decison of the user

2: functionality matches what we've discussed

Goal: user should be making an informed choice

Swire: normative text...what would be biggest changes

Chappel: point 1: clairfies that if extension or add on is used, then extention or add on is subject to this language

<npdoty> I've previously recommended that we explicitly note that any other software that modifies a DNT header (like a plugin) should be held to the same requirements

w/o this informed choice is not achieved

<Chris_IAB> vincent- in advertising, the reliable proxy for a unique user is a cookie; let's discuss further offline

accurate descriotion of DNT (including parties) and provide a link or decription re DNT functionality...button/link maybe same thing

<Wileys> The DNT signal is broadly applied whereas exceptions are individually applied so therefore the bar should be higher for UAs to activate DNT. UAs without UIs would need to find solutions to ensure users understand what is occuring in other ways (such as during install time).

<npdoty> I think we agreed in Amsterdam to re-draft Shane's proposal to be less specific about "link"

<vincent> Chris_IAB, sure, thx

<Chris_IAB> Chapell, we could just define the word "link" to include other things, like buttons

<Wileys> Nick, yes - I already sent that out

<Chris_IAB> Chapell, how about we call it an "object" or "web object"

<Wileys> moved it to "reference" I believe and that fixed the issue

Adrian: proposed alternative: button/link:prescribing link = too specific, some other UI to get to this information is fine...

<npdoty> indeed, WileyS!, I linked to it last night: "The User Agent MUST make available explanatory text to provide more detailed information about DNT functionality within easy and direct access for the particular environment prior to DNT being enabled."

<Chris_IAB> Chapell, or "rendered web object"

<justin> WileyS, That is a different argument than you were making last year.

<efelten> +q

<Wileys> Thank you Nick

Should not necessarily a must question being posed

<Wileys> Justin - it is more nuanced now - many called out this unbalanced situation and therefore my position has evolved.

if education is an online link, then perhaps you cant access

expalanatory text

<Wileys> Justin - I don't believe the delta should be large but I do believe the UA's requirements are "

<Wileys> higher"

broader question: Adrian: set of actions re user choices not solely scoped to UA...site exceptions?...or other UA?

<justin> WileyS, I see. And I have pointed out the arguments about why the consent requirements should be stronger for the exceptions. I thought we had come to a good-faith compromise. This is disappointing.

<Chris_IAB> adrainba- do you think we are CLOSE to an agreement with Chappell's proposal?

Adrian: examples re add-in, non-normative text may be helpful for discussions, but the normative text is what will be used and good to have the simpler doc we're working with right now

<Wileys> Justin, are you disagreeing that DNT set at the UA has broader application than an individual site exception?

Swire: when would primer doc be written...before ort after last call?

<rigo> I will just note that there is symmetry between what you want the user to do for dnt1 and for dnt0

Adrian...no particular time, but as a user, you may want to read something ... example, XML schema was done after....just don't want to be doing at the time when normaitve doc is being debated

<Wileys> Justin, when you look at a race-to-the-bottom, per Jonathan, this can be accomplished from both sides - so this is equal in my mind. Therefore when you step back from that position to the breadth of application, the UA is significantly broader than an individual site exception.

Swire: Doty email: talk about common resource (perhaps from w3c) re informative text?

Adrian: in support of resource, but not complete replacement for primer

<justin> To the extent that an exception allows entities to track universally, I'm not sure the distinction is actually that meaningful.

<Wileys> Mobile apps can display web content

<dsinger> email formatted in HTML can cause HTTP fetches, and is thus a UA, for example.

<Wileys> Those UAs can be updated to provide this information prior to activating DNT. If they cannot, they should not attempt to activate DNT.

<Chris_IAB> efelten, wouldn't it be fair then, if we need user consent, that those UAs that can't get it, don't do DNT?

<dsinger> help viewers are often written using HTML, also

<fielding> I believe we are talking about the UI of a configuration, not the UA itself

<justin> WileyS, if you think that the consequence of turning on DNT is more important to the individual, then existing law would require great transparency obligations.

<Chris_IAB> isn't that a fair requirement?

Felten: many UAs not browsers...informed choice could be there, but caution

<Wileys> +q

<Mike_Zaneis> If a UA is incapable of presenting accurate choices to a user then that UA should not present DNT as an option, which is meant to be a user choice.

<Wileys> +1 Chris

<Marc> +1

<schunter1> Peter: We can continue this discussion until the full hour (folding in my exception discussion).

Mejia: re Felten, express consent ... if UA can't get consent, then UA doesn't have to honor dnt

<peterswire> Matthias: ok; please open the Q again

<npdoty> efelten, is your point about not being very specific about UI? or that informed consent may just vary for different user agents?

<justin> The spec already says that you need to get the user's consent to turn on DNT.

Felten: expressing caution that interaction can happen...so platform, etc...so long as user is informed

<fielding> efelten, right, but we are not talking about the time of interaction -- we are talking about the UI for setting a non-default configuration option.

<efelten> Alan's language does talk about time of interaction.

<peterswire> nick -- please open the Q; matthias has provided more time for this

<npdoty> +1 to justin, there's agreement (and existing text) about consent

Swire: point out that spec = MUST, but DNT may need to be before

Felten: understand info being presented to user

Swiree: follow up after today re Mejia and Felten re time 1 and time 2

<fielding> well, *how* something is presented is different from *what* needs to be presented -- the *how* can be just a list of non-normative examples

<dsinger> +1 to fielding. we should talk about *what* not *how*

<Chris_IAB> tech companies can ALWAYS find a way to message users :)

Chappel: re Mejia: unfortunate if we created std that violates Privacy By Design...would be surprised whether regulators would be swayed by the unability of tech to present the choice
... Adrian: exception that swallows thwe rule

<Wileys> David, the issue is strength of "what" which implies a "how" - there is important nuance here

Singer: a browser help could explain DNT for members of what IAB members and others would like to explore more in the community and is a good idea

Am cncerend about the how

<justin> How is a legal question . . .

What about a mail agent?

<Chris_IAB> as an example, this concept of linking to an educational resource, is available today via the industry's icon-based self-regulatory program

<Chris_IAB> so I can tell you that it works :)

<Chapell> one more thought re: non-normative language --- I'm not sure if Adrian is advocating getting rid of all non-normative language or just some. I may want to revisit the normative language if the group's consensus is to get rid of the non-normative language

<Wileys> Justin, there are equal parts "guidelines" and "laws" for "Hows"

Singer: text such as accurately may be an issue

<Chris_IAB> Chappell, please change "Guidelines" to "Rules" and keep "Must"

<Wileys> We can and should include guidelines here - fair? If we want to only apply the legal bar - I'm fine with that across the board (UA DNT activation and site exceptions)

<Chris_IAB> +1 to David Wainberg

Wainberg: Should vs Must: for the compliance, there many things which cannot be tested...

<dsinger> I appreciate it is difficult to make 'must testability' a hard rule, but we should only contravene when we..um…must

<peterswire> q/

<npdoty> it may have been that Alan was using "guidelines" because the charter specifically notes that guidelines are in scope, while specifying UI would not be

Wainberg: vcan't think of a real eexample where a user cannot be offered information about a choice

<justin> WileyS, Not entirely sure what you mean by guidelines, but I wouldn't mind at all examples saying, "here are ways you could do it." But I think you are probably right that legal bar is probably the right way (http://lists.w3.org/Archives/Public/public-tracking/2012May/0118.html). I disagree with jmayer's proposed language on exceptions.

Wainberg: perhaps separate guidelines for websites and broswers ....the convos need to remain together for the time being

<fielding> DNT is not Privacy By Design. DNT is a user preference; it should not be mistaken for a security/privacy protocol that is actually designed to preserve privacy.

<Wileys> Justin, okay.

Swire: Brookman wrote that extensivce interactions abouut UAs and users...correct?

<Chapell> Yes, Nick --- that's why I used Guidelines. I'm happy to state "rules" if that is helpful

<Chris_IAB> efelten, btw, the digital ad industry didn't use to have a mechanism to message users about OBA targeting; then the FTC and others asked us to do this, and we figured out a way to do it, in the tech. So I don't buy the idea that UAs won't adapt as well, if they want to set DNT.

<dsinger> to fielding: agree, we cannot boil the ocean, we cannot fix every privacy issue online. this is about DNT, HTTP transactions, and people...

<peterswire> Nick, please close the Q

<dsinger> to justin and adrian: I strongly agree we should not agree text on what UA consent means without the same, or parallel text, on what site consent means

Brookman: section 3-11, prescriptive for one and prescriptive for another

<Wileys> Justin, this means industry will separately evaluate each UA's implementation and will decide per each if they will recognize that signal (and reply appropropriately in real-time). Issue 143 will need to be closed for this to finally be settled.

<dsinger> the incentive for sites to be 'economical' with their explanation and so on is strong.

Brookman: leave to market and regulators to figure out

<npdoty> Shane, wasn't that your point with 143? "As we've developed draft text for obtaining explicit, informed consent from a user for out-of-bound user granted exceptions, it's equally important that activation of a tracking preference be coupled with the same explicit, informed consent."

Wainberg: how prescriptive we should be and whether requiremenets are equivalent on both sides...we should set these q's aside and perhaps bring the convos together in the futryure

<dsinger> there is some commonality in requirements; but the consent/explanation for sites to get DNT:0 should be stronger (as this implies a weakening of privacy)

Matthias: ensuring exception alings w what user wants...we should have requirements, including what informed consent is and what education and choices should be discussed
... implementation POV: should be balanced between broswers and sites

<Wileys> Nick, my goal in 143 is that UAs that are setting DNT that are not the web browser but are sending the signal through the UA should name themselves in the DNT header (would require a change to the TPE).

<justin> WileyS, I think I've been sold on the idea that servers should be able to send back some sort of signal that a stated preference is not being honored.

<Wileys> Justin, great.

<Chris_IAB> Matthias, ONLY 20-pages? ;)

<schunter1> We can make it 50, too ;-) The global # of trees is the limit ;-)

<Chris_IAB> +1 to Chappell

Chappel: non-normative language: caution using it as a way to "kick the can" on open issues

Swire: summary: developing a resource for visible link for explaining these issues

<schunter1> My goal is to keep those requirements "as light as possible but no lighter".

<Chris_IAB> schunter1, trees? bytes man, bytes :)

<efelten> Most mobile apps are UAs, for example.

Swire: UAs that don;t have browsers and we may need examples

<Chris_IAB> efelten, why can't a mobile app that wants to set/send DNT, not message the user?

Swire: there may be apps or other things where at Time 1 and a subsequent time when choices may no longer be able to be negotiated

<Chris_IAB> in fact, the NTIA is trying to define this now, no?

<efelten> Not all apps have an interactive UI. e.g. widget that displays current temperature in tiny type in upper corner of my phone's home screen.

Swire: Aleecia circulated the tri-partie issue

<Wileys> Ed, agreed - so each should include fair disclosure and user choice if they desire to support DNT- that's part of the price of admission to DNT.

Felten to bring up examples in 1 week

<Chris_IAB> efelten- those apps CAN have mechanisms; that they don't today, is simply the a reflection of the state that they don't have to, no?

Timing issue...Felten to bring up examples as well

<Wileys> Ed - they can - at install and at time of placement on the screen.

<dwainberg> Ed, how would a user, in the case of such an app, set the DNT signal?

<fielding> … so the configuration UI is important to our task of defining a protocol that is supposed to communicate the user's preference: the user's understanding of DNT needs to be compatible with what the specification says the preference communicates. I'd be happy with any UI that doesn't set DNT:1 by default and doesn't mislead users about the meaning of DNT.

<npdoty> ACTION: felten to draft examples regarding different UAs with different UI affordances [recorded in http://www.w3.org/2013/04/10-dnt-minutes.html#action01]

<trackbot> Created ACTION-390 - Draft examples regarding different UAs with different UI affordances [on Edward Felten - due 2013-04-17].

Swire to circle to Alleecia and Matthias re tr-Partite

Chappel, Adrian, others...can we work on revisions

<Chapell> I'll have some revisions - and would be happy to speak with Adrian

<adrianba> happy to discuss

<johnsimpson> I'm curious,. Do we think that a UA must be able to grant exceptions to be compliant?

<npdoty> ACTION: Chapell to update UI/consent proposal (including discussion with Adrian) [recorded in http://www.w3.org/2013/04/10-dnt-minutes.html#action02]

<trackbot> Created ACTION-391 - Update UI/consent proposal (including discussion with Adrian) [on Alan Chapell - due 2013-04-17].

<peterswire> scribe?

<npdoty> scribenick: dwainberg

<dsinger> issue-187?

<trackbot> ISSUE-187 -- What is the right approach to exception handling? -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/187

Site Consent, 187

schunter1: Issue 187: what is the right approach to exceptions. Offline in email

<hwest> Sorry about that - I'm muted on this end but clearly that's not working

schunter1: I discussed w/ Jonathan, and there is no more resistance to the new exceptions.
... and the remaining concern is whether there is a race to the bottom for UX
... i.e. getting exceptions w/ minimal user interaction.
... so pare this down to "what conditions necessary for setting an exception."
... there is currently language in 6.3.1

<moneill2> +q

schunter1: basically says you must be reasonably certain the user wants the exception
... Jonathan proposed 3 points.

Jonathan proposed these three requirements that refine this language and that I would like to gather feedback on:

1) Actual presentation: The choice mechanism MUST be actually presented to the user. It MUST NOT be on a linked page, such as a terms of service or privacy policy.

2) Independent choice: The choice mechanism MUST be presented independent of other choices. It MUST NOT be bundled with other user preferences.

3) No default permission: The choice mechanism MUST NOT have the user permission preference selected by default.

<dsinger> does #2 mean the site can't say "Give me an exception, or pay me for access?"

moneill2: idea of "at the time". There are sites with large numbers of domains.
... and the problem of signaling consent across domains.

JC: responding to item 2, one can infer from that a company can't create a preferences page that has DNT as one item.

<adrianba> seems like if we agree that sites are responsible for getting consent for exception then the mechanisms for doing so are part of the discussion earlier

JC: also possibility to consolidate mechanisms in the future.
... so would like us to reconsider point 2.

schunter1: so the point is it might be that we set all the privacy preferences in a package.

<npdoty> Jonathan's "independent" requirement seems the only major difference from adrianba's text, I think

JC: yes, as just an example. Or, e.g., some browsers have a privacy page.

ChrisPedigoOPA: it seems like under this a user couldn't be presented with the choice as part of a sign up.
... I don't think it's reasonable to say you couldn't include in one page or one question.

<JC> Item 3) covers that

<Zakim> dsinger, you wanted to ask about #2

dsinger: reads #2 differently.

<npdoty> yeah, that might be the motivation, if it's bundled with the terms of service, that might be objectionable to many of us

<JC> Good point

dsinger: Read it as implying you couldn't have linked choices, e.g. if you don't agree to the exception you can't have ...

ChrisPedigoOPA: elsewhere in the compliance doc, I think we say it's ok to alter experience or refuse access if DNT is on.

<npdoty> I agree that we have made that decision as a group

schunter1: I think the purpose of item 3 is that there has to be an explicit choice.
... so there has to be an exit point from the page that allows not to grant an exception.

npdoty: one way we think about things you accept when you use a site. e.g. a TOS.

<Wileys> With respect to #2, if the purpose of service is tracking and that's fairly well understood up-front, I don't see the need to "overly" state that DNT will not be recognized for this service. We're elevating DNT above all other considerations and that doesn't feel nuanced enough to match real-world situations.

npdoty: so having the choice in the TOS would undermine what we're trying to get at.

<npdoty> we had previously proposed: "explicit, separate and informed consent"

schunter1: My opinion is this is somewhat too descriptive. Suggest language that you can only register an exception is you're sure the user wants an exception.
... then have lists of conditions that can be met.

<fielding> explicit and informed consent is sufficient -- separate has nothing to do with it.

schunter1: This is what you want to achieve, and then examples.

<npdoty> fielding, do you think Terms of Service would suffice "explicit and informed" consent?

schunter1: general question for the group: are these 3 items in scope? Are we ok, in generaly, with these kinds of requirements.

<npdoty> ChrisPedigoOPA: I think we all agree it wouldn't be buried in the Terms of Service

ChrisPedigoOPA: We agree it wouldn't be buried in the TOS. But want to preserve the option to message consequences.

<dsinger> alas, I am sure some sites will want to call the exception API with as little explanation as possible...

<npdoty> +1, I agree on messaging consequences/alternatives

<fielding> npdoty, that would depend on the TOS and the consent, not on its separateness

ChrisPedigoOPA: Principal approach would allow flexibility for different kinds of implementations.

<schunter1> Note that by getting less prescriptive here, I expect to also be less prescriptive for the browser UI requirements (schunter's balance principle)

<npdoty> does someone want to take an action on issue-187? do we need a new proposal? or does adrianba's proposal cover this?

<Chris_IAB> Ice cream man! lol

<npdoty> schunter to propose closing 187, replacing with just collecting user input

schunter1: Formal action for me is to send proposal to close 187 and replace with another issue on ux.

(I can't hear dsinger)

better

<npdoty> dsinger: connected to the previous conversation, should try to come to common text wherever we can

schunter1: preference to bucket both into a single conversation

<dsinger> this issue and the UA explanation issue are linked; not completely common, as Alan says, but there may well be common concerns and/or text

<Chris_IAB> am I the only one not hearing anything?

<johnsimpson> Call breaking up..

I can hear nick.

<hwest> Can hear you, Nick

<moneill2> cant hear

<johnsimpson> not hearing current speaker

<Chris_IAB> not audible

<Chris_IAB> broken conversation

dsinger: the approach of linking site consent and ua consent is right

<schunter1> Redialing

<Wileys> David, agreed - they're linked but I believe the UA issue is larger due to its all encompassing application versus individual exceptions which can be tracked for compliance.

<Chris_IAB> what was that Dsinger?

<Chris_IAB> Mattias turned on DNT

<johnsimpson> Does the group believe that a compliant UA must be able to grant exceptions?

schunter1: would like to consider the discussion of choice collection together under one issue.
... question for both discussion

<dsinger> to WileyS, LOL, I think the site issue is much larger due to the incentive to mis-behave and the larger number of sites

<dsinger> let's see if Jonathan would like to make a revision, good idea.

<dsinger> let's not *combine* but *link* the discussions

<dsinger> note that they have related concepts

<Chapell> Why are we combining - I object to combining at this time

<Chapell> +1 to DWainberg

<npdoty> ACTION: doty to check with Jonathan about revising consent requirements (would adrianba's text suffice?) [recorded in http://www.w3.org/2013/04/10-dnt-minutes.html#action03]

<trackbot> Created ACTION-392 - Check with Jonathan about revising consent requirements (would adrianba's text suffice?) [on Nick Doty - due 2013-04-17].

<fielding> certainly OOB consent is not going to be defined by this standard

next Working Draft

<Wileys> Matthias, we need to close on Issue-143 soon

dwainberg: should have separate discussions for consent in UA vs server

schunter1: next steps work on final edits, next call go over the document, and get to a working draft ready to be published.

<johnsimpson> Do we plan to publish another Compliance working draft?

schunter1: Restructuring the response indicators. What is the best structure to communicate tracking status.

<fielding> http://lists.w3.org/Archives/Public/public-tracking/2013Apr/0066.html

<dsinger> …apologizes, I have some pending edits that are not done...

<fielding> no

schunter1: I think the consensus is 3 pieces

<Wileys> Roy, I don't want to bloat the DNT header signal but I'd like to ensure 3rd party UAs to the web browser UA are naming themselves when activating DNT. Thoughts on how to approach this problem?

<npdoty> regarding publishing drafts: I may have mentioned this only among the editors, we are trying to satisfy our process requirements by publishing snapshot working drafts of the documents

<fielding> NO

schunter1: who you are, whether you're claiming exceptions, and then if you're "under construction"

Response Indicators

dsinger: Question is "am I designed to operate as an X party" is orthogonal to whether have consent

<fielding> I said they are NOT orthogonal and explained why on list

dsinger: replace with a C, meaning I have consent. If they were append, rather than replacements...
... but it's minor, don't need to rathole on it.

fielding: Don't understand how matthias got consent. 1 and 3 say you are compliant, so not orthogonal.
... so you can't say 3 and 1 and C at the same time. They're separate answers.
... if you don't understand what the consent is about you have to go to the control link.

<npdoty> is "C" not intended to refer to consent to things otherwise prohibited by Compliance?

<moneill2> +q

<dsinger> Let's not rathole. Roy's point is a consequence of the way the text is currently written, and we could change it. I can drop it.

schunter1: we have a disagreement there we won't resolve in 3 mins.

fielding: if you're say you're doing something differently from the, e.g. 1st party requirements, then you're not following those requirements.

schunter1: continue this discussion offline

<dsinger> I don't care enough to spend a lot of time on it, though, and I don't want to waste the group's time

- DRAFT -

Tracking Protection Working Group Teleconference

10 Apr 2013

Attendees

Contents

Data Append

User Education and User Interface

Site Consent, 187

next Working Draft

Response Indicators

Summary of Action Items

Scribe.perl diagnostic output