15:50:45 RRSAgent has joined #dnt 15:50:45 logging to http://www.w3.org/2013/04/24-dnt-irc 15:50:47 RRSAgent, make logs world 15:50:47 Zakim has joined #dnt 15:50:49 Zakim, this will be 15:50:49 I don't understand 'this will be', trackbot 15:50:50 Meeting: Tracking Protection Working Group Teleconference 15:50:50 Date: 24 April 2013 15:50:56 Zakim, this will be 87225 15:50:56 ok, npdoty; I see T&S_Track(dnt)12:00PM scheduled to start in 10 minutes 15:51:04 Zakim, who is on the phone? 15:51:05 T&S_Track(dnt)12:00PM has not yet started, npdoty 15:51:06 On IRC I see RRSAgent, efelten, npdoty, kulick, schunter, tlr, hober, mischat, wseltzer, trackbot 15:52:17 agenda: http://www.w3.org/mid/5176909E.7040407@schunter.org 15:52:30 agenda+ TPE Working Draft 15:52:43 T&S_Track(dnt)12:00PM has now started 15:52:51 +kulick 15:52:56 agenda+ issue-195 flows for out of band consent 15:53:03 +??P1 15:53:11 Zakim, ??P1 is schunter 15:53:11 +schunter; got it 15:53:18 agenda+ issue-168 sub-services signaling transferred exception 15:53:28 agenda+ next meeting 15:53:50 rigo has joined #dnt 15:54:38 + +1.609.258.aaaa - is perhaps efelten? 15:54:57 Zakim, aaaa is me 15:54:57 sorry, efelten, I do not recognize a party named 'aaaa' 15:56:01 Zakim, aaaa is efelten 15:56:01 sorry, kulick, I do not recognize a party named 'aaaa' 15:56:04 rvaneijk has joined #dnt 15:57:18 WaltM_Comcast has joined #DNT 15:57:19 eberkower has joined #dnt 15:57:50 +eberkower 15:58:20 aleecia has joined #dnt 15:58:28 +npdoty 15:58:38 Chris_IAB has joined #dnt 15:59:19 fielding has joined #dnt 15:59:33 + +1.202.347.aabb 15:59:42 prestia has joined #dnt 15:59:49 +Fielding 15:59:58 +rvaneijk 16:00:12 paulohm has joined #dnt 16:00:26 +Aleecia 16:00:29 + +1.202.326.aacc 16:00:47 (took a few tries to join) 16:01:07 Zakim, aacc may be [FTC] 16:01:07 +[FTC]?; got it 16:01:17 zakim, who is on the call? 16:01:17 On the phone I see kulick, schunter, efelten?, eberkower, npdoty, +1.202.347.aabb, Fielding, rvaneijk, Aleecia, [FTC]? 16:01:19 Zakim aacc is paulohm 16:01:26 +WaltM_Comcast 16:01:28 Zakim, aabb is prestia 16:01:28 +prestia; got it 16:01:34 Zakim, [FTC] has paulohm 16:01:36 +paulohm; got it 16:01:57 +hwest 16:01:57 I can scribe but not talk much 16:02:02 Topic: intro 16:02:03 hwest has joined #dnt 16:02:04 q? 16:02:05 Joanne has joined #DNT 16:02:08 scribenick: kulick 16:02:15 agenda: http://www.w3.org/mid/5176909E.7040407@schunter.org 16:02:17 (even better!) 16:02:20 schunter: TPE call only today 16:02:42 yes, thanks kulick! yay for volunteers 16:02:45 sidstamm has joined #dnt 16:02:47 ... let's get started on discussed 16:02:48 + +1.916.641.aadd 16:02:59 TOPIC: TPE working draft 16:02:59 hefferjr has joined #dnt 16:03:04 kj has joined #dnt 16:03:16 +hefferjr 16:03:18 Zakim aadd is Joanne 16:03:20 schunter: if you have more points to discuss please send to group 16:03:26 request: please send the diffs and a deadline for comments to the non-discussion mailing list. Seems like exactly what it's for. 16:03:27 +[Mozilla] 16:03:32 +RichardWeaver 16:03:32 David_MacMillan has joined #dnt 16:03:35 Zakim, Mozilla has sidstamm 16:03:35 +sidstamm; got it 16:03:36 required, and, roughly every 3 months 16:03:38 ... must publish working draft every 8 weeks/2 months, we are overdue right now 16:03:39 Richard_comScore has joined #dnt 16:03:44 q? 16:03:51 ... correction, every 3 months 16:03:57 Zakim, aadd is Joanne 16:03:57 +Joanne; got it 16:04:03 q? 16:04:20 ... any major comments on plan wrt pushing working draft out 16:04:22 JC has joined #DNT 16:04:25 …other than last week, I assume 16:04:30 +Rigo 16:04:40 ... no comments recognized 16:04:43 Wileys has joined #DNT 16:04:51 +[Microsoft] 16:04:58 aleecia, should we update your affiliation in the Acks? 16:05:05 q? 16:05:07 ... we tried to address major comments from last week. if you feel they weren't addressed please send again 16:05:08 aleecia, I meant to follow up with you yesterday, I'm not sure how to address the issue of sentences that may not be true after changes to the draft 16:05:13 yes, or drop me all together. either way is fine. 16:05:17 +WileyS 16:05:17 ... moving on and diving into the technical issues 16:05:26 agenda? 16:05:32 Topic: ISSUE-195 Flows and signals for handling out of band consent 16:05:34 Zakim, take up agendum 2 16:05:34 agendum 2. "issue-195 flows for out of band consent" taken up [from npdoty] 16:05:41 +Peder_Magee 16:05:57 Nick, the issue was we no longer have tagged what is at consensus and what is not. 16:06:02 pmagee2023263538 has joined #dnt 16:06:05 trackbot, ISSUE-195? 16:06:05 ISSUE-195 -- Flows and signals for handling out of band consent -- open 16:06:05 http://www.w3.org/2011/tracking-protection/track/issues/195 16:06:08 ... tracking pref sent to site 16:06:12 .... 16:06:18 Jack has joined #dnt 16:06:55 +[IPcaller] 16:06:56 ... in order to send signal site needs to be able to determine if it have consent from user. 16:06:57 If people believe the spec is at consent due to lack of disclaimers otherwise, this is a problem (raised more forcefully by Jonathan than by me, but presumably his points have all just gone to ignored.) 16:07:06 WaltM_Comcast_ has joined #DNT 16:07:11 just joined via Skype 16:07:13 +David_MacMillan 16:07:21 ... @@@ raised a concern 16:07:22 q? 16:07:25 Zakim, [IPcaller] is Chris_IAB 16:07:25 +Chris_IAB; got it 16:07:26 btw- not easy to join today-- kept getting an error message 16:07:27 I agree with Matthias that a global "not at consent" disclaimer is unduly broad. 16:07:37 +JeffWilson 16:07:43 Chris, I had to try a few times too, but did get in. 16:07:46 q+ 16:07:58 Ronan: if deter cannot be made in real time then signal will be sent that out of band consent will be gathered later 16:08:10 ... 16:08:24 aleecia, changes were made to the SOTD in the last two days to address the comments 16:08:25 s/@@@/Ronan/ 16:08:31 Nick, I think one of the goals is to document what is, and is not, at consensus. But we appear to have lost that in the document. That is my point. Not "things could change" 16:08:34 q? 16:08:44 ... data could not be used, just collected and retained until consent is determined 16:08:48 schunter: issues is out of band consent is not available immediately 16:09:03 q? 16:09:04 ... and 3rd parties 16:09:09 q+ to ask if out-of-band consent is typically retrospective 16:09:12 ack ef 16:09:15 ronan: I would not include 3rd parties 16:09:25 ed: want to know more about implementation scenario 16:09:28 samsilberman has joined #dnt 16:09:31 +Dan_Auerbach 16:09:45 q+ 16:09:52 dan_auerbach has joined #dnt 16:10:03 + +1.781.482.aaee 16:10:08 Roy, glad to hear it; do we have a deadline for review? Or is it at some arbitrary time suddenly things are decided to not have attracted comment? If there is a deadline, it would be spiffy for Matthais to send that to the official dlist 16:10:28 zakim, aaee is samsilberman 16:10:28 +samsilberman; got it 16:10:34 ... how would user be notified later. if youi could lett know later, why not now? ... secondly, how would they be notified later? 16:10:51 Ronan: 16:11:06 aleecia, ask the chair ;-) 16:11:19 q? 16:11:22 16:11:44 big vacuum cleaner for 48 hours to determine what you can keep 16:11:54 ... might have determined later (based on being sent the IP addresses later that night, for example) that a user has given consent 16:12:10 ed: Still don't understand why you you need to keep data longer? 16:12:27 johnsimpson has joined #dnt 16:12:36 schunter: let's not get into the 48 hours discussion. 16:12:52 ed: this is about servicing the request not retaining data 16:13:09 q+ 16:13:13 schunter: you have to determine in 200 ms, but if not you dont have a way to honestly answer 16:13:22 ... therefore need way to handle that 16:13:31 ed: okay, how is user to find out later 16:13:33 didn't we propose a separate TSR to avoid having to make all determinations in real-time for the HTTP response? 16:13:38 q? 16:13:40 ronan: this is where control link comes in 16:13:48 ... i threw out 72 hours 16:13:55 "and you're curious 16:13:56 " 16:14:05 edit link, at the moment -- anyone with better suggestions for a name are welcome 16:14:07 ... notify UA a time to comeback 16:14:10 means the user agent MUST present this to user, or not 16:14:20 ... UA would know and should let user know 16:14:29 jmayer has joined #dnt 16:14:57 +Jonathan_Mayer 16:15:01 schunter: 72 hours is extremem case. 16:15:23 ... some cases you cannot do inline due to time constriants 16:15:32 ... IP address case with many hours is special case 16:15:32 q+ 16:15:37 ack np 16:15:37 npdoty, you wanted to ask if out-of-band consent is typically retrospective 16:15:38 q- later 16:15:44 ... most cases are shorter 16:15:52 nick: 2 questions 16:16:03 +q 16:16:06 npdoty: is oobc always retrospective? 16:16:12 .... is out-of-band (OOB) consent retrospective? 16:16:28 @@@: consent prospective 16:16:37 s/@@@/ronan/ 16:16:56 Chapell has joined #DNT 16:17:08 ... has to be retropective 16:17:44 nick: 16:17:57 q+ 16:18:02 ronan: would catch in some cases, but not all 16:18:14 ... real time might not be possible on some cases 16:18:29 npdoy: TSR can be requested asynchronously, so you can have the TSR manipulated later and have the browser fetch it later 16:18:30 ... there are technical hurdles 16:19:13 why is that so hard? 16:19:22 ack field 16:19:23 ... response could be very heavywieght 16:19:28 to push that info to CDN or whatever front-end system 16:20:18 +1 on that -- tend not to be heavily into real time needs 16:20:20 Roy: divide problem, certain things we cannot improve on, like surveys to do online response for every request. Problem might not be technical, but rather related to the size/expectations of the company. 16:20:38 ... make sense for compliance is the 200 ms response needed. 16:21:13 cOlsen has joined #dnt 16:21:13 ... would expect related test if you have given consent to be immediate (within normal page request time) 16:21:23 ... this should not be hard to solve 16:21:45 +[FTC.a] 16:21:47 ... there is a limit to scale to responses 16:22:09 ... many times these are requests to other sites and could create probs 16:22:20 +Chapell 16:22:29 ... i dont see the privacy concern 16:22:30 If we want UA to be able to check these things itself, we shouldn't use a link to an unstructured web page. Want machine-readable. 16:22:56 schunter: i believe ronan's answer ccould be within ~1 min 16:23:03 (I'm not sure why "we collect this data for this use, regardless of DNT" isn't sufficient for consent right there. I think I am missing the important part of this discussion somewhere.) 16:23:07 ... if you are panelist, we keep your data 16:23:12 .... if not, we dont 16:23:22 ... completely diff solution to consider 16:23:48 .... if site complies with 1 or 3 all of these OOB consent apply 16:23:51 efelten, why would we need the UA to check this? 16:23:52 q? 16:23:54 right? 16:23:56 ack rv 16:24:05 it sounds like the problem is that sometimes a measurement company can't identify the user until several hours later (when their panel program reports IP addresses), but will want to add that data to their panel once the identification is made 16:24:12 Ronan suggested a scenario where the UA checks automatically, rather than interrupting the user. 16:24:45 XXX: comliance concern -- cookie ? 16:24:58 q? 16:25:00 scribe thanks you 16:25:02 s/XXX/rvaneijk/ 16:25:04 Ronan is trying to solve a very specific problem. Once it gets in the spec it becomes a generic solution. That does not seem logical to me. Two remarks: - Cookie for the control link looks problematic by itself, for it is not a functional coockie and you will run into the 5.3 requirement in the EU - OOBC determintatinon: alternative solution may be a browser add on for panel members. In my view that would be much more proportional. 16:25:11 Nick fills in nicely what I'm missing: I hear "panelist" as member of a specific research study, not, say, Nielsen measurement panels. Thank you. 16:25:26 ack rigo 16:25:34 ronan: we cannot force installation of plugins, but we have some contraints 16:25:43 rigo: dont understand why need special treatment 16:25:48 forgot to mention … I don't think the cookie thing is worth specifying -- that can be a dialog with permission of the user in the extremely rare case it would be desired 16:25:51 ... falls under 2 existing things 16:25:59 .... 1. shorter collection and use 16:26:05 q+ 16:26:12 q- 16:26:26 .... 2. tracking compl spec says ooob consent trumphs dnt 16:26:45 ... therefore, i dont understadn need for additional rule 16:27:06 ... it makes it difficult to understand what service collects 16:27:36 ronan: if site response 3, then it must respond 'C' later and that would be less transparant (correct?) 16:27:57 q- 16:28:05 +Brooks 16:28:10 Brooks has joined #dnt 16:28:23 rigo: browser wants to understand the conditions which the data was given 16:28:25 " If an operator is relying on "out of band" consent to disregard a "Do Not Track" instruction, the operator must indicate this consent to the user agent as described in the companion [TRACKING-DNT] document. " 16:29:09 schunter: must be able to represent that received oob consent 16:30:48 Rigo proposes to signal "3" & "short-term use exception". Out of band then trumps these statements for the panelists. 16:31:14 q? 16:31:24 ack dan_auerbach 16:31:28 16:31:28 +1 that it's less transparent, which is why we added the C requirement 16:31:46 ronan: it would cover everything we want to do, but is less transparent to the user than a P response 16:31:51 dan: privacy concerns hinge on UA does with this info 16:32:07 .... could UA side speak to what this would look like 16:32:11 q+ 16:32:21 hwest has joined #dnt 16:32:49 ... Roy mentioned some companies might not be able to address due to size/resources... what happens if the site goes down 16:32:56 ... good to keep simple 16:33:10 ... what is we say not oob consent mechnism 16:33:22 ... ronan, why would this be cripling to you 16:33:28 q? 16:33:36 ... what is the data to suggest a problem 16:33:46 ronan: depends on usage of DNT 16:33:56 ... we use panels 16:33:57 An alternative is to define "3" as "we follow third party rules (including the fact that all constraints are relieved if you gave consent)" 16:34:02 they represent large groups 16:34:11 ... they represent large groups 16:34:12 In this case, one does not need "C" or "L" 16:34:23 schunter, that was alex's original request, as ronan points out, it is less transparent 16:34:29 dan: you could normalize for that 16:34:35 ronan: you can't 16:34:47 q? 16:34:48 ... affects reliability 16:34:58 ack rv 16:35:02 dan: let's offline this 16:35:25 In terms of proces, I want to mark down that although this discussion is useful there is no way consensus can be assumed. 16:35:27 +BerinSzoka 16:35:28 UUU: no way consent can be assumed, want to caution about adding tech into public doc 16:35:40 It is an option in the current document -- there is no concern about that being mistaken 16:35:41 we currently have text in an "Option" box, with the issue box marking it 16:35:51 schunter: there is some text and is marked as option or text under discussion 16:35:55 s/UUU/rvaneijk/ 16:36:02 :-) 16:36:02 UUU: also could mark as no text 16:36:13 s/UUU/rvaneijk/ 16:36:29 III: removing is not a solution 16:36:42 s/III/fielding/ 16:36:45 ... we need proposals in the spec... we should not remove 16:37:36 fielding: should we havea specific issue for this? 16:37:38 ISSUE-195? 16:37:38 ISSUE-195 -- Flows and signals for handling out of band consent -- open 16:37:38 http://www.w3.org/2011/tracking-protection/track/issues/195 16:37:40 schunter: 195 16:38:01 ... what is we remove flags and leave spec as it was 16:38:02 +1 to schunter suggestion 16:38:02 I actually think we're only using 195 for the possibility of an additional possible-consent flag for oob consent 16:38:25 as soon as we have short term collection permission 16:38:26 ... OOB gives general expection, which use 3 16:38:56 moneill2 has joined #dnt 16:38:58 ... ?OOB consent relives of 3rd party rule? 16:39:06 q? 16:39:16 q+ 16:39:18 q+ 16:39:18 q? 16:39:22 ack al 16:39:24 +[IPcaller] 16:39:45 zakim, [ipcaller] is me 16:39:45 +moneill2; got it 16:39:56 q? 16:39:58 ack np 16:39:59 +1 to Aleecia's interpretation 16:40:03 aleecia: short time period is to figure out how handle not that you can do anything until you figure out 16:40:23 nick: the concer with respoinding with '3' is that we lose transparency to user 16:40:28 we do lose that transparency, but if they've opted in they should know 16:40:42 +1 to nick 16:40:59 aleecia, I think we have to get a better wording for 6.2.2.1 Short Term Collection and Use 16:41:02 We could mandate "edit" if a site uses OOBC or inline consent. 16:41:04 so the proposal is respond "3" and allow 48 hours to keep the data until consent is determined? (BTW, 48 is just a number I made up) 16:41:09 ... need to provide feeback to user and is important 16:41:11 to reflect what you just sayd 16:41:33 the problem is that they will never know, right? 16:41:37 schunter: roty, proposal is to answer with 3 and use short term retention exception 16:41:40 fielding, I think it would be respond "3" and retain data for up to a few weeks to determine whether or not you have consent to use the data 16:41:45 please do! I think you've followed the discussion for the past two years 16:41:47 ... 3 means follow 3rd party rules or you have consent 16:41:56 (I guarantee a lack of time on my part in the next month) 16:42:00 the scenario nick suggested would look the same to a user who is NOT opted into a panel 16:42:02 ... if you use oob consent, you must provide link 16:42:09 q? 16:42:14 is there a way for users to find out after that they remain in a panel? 16:42:28 or more to the point, that the company thinks they are part of a panel? 16:42:28 nick?: there would be no way for user to know 16:42:45 q+ 16:42:47 schunter: users should be careful about where they provide oob 16:42:47 q? 16:42:50 ack ri 16:42:56 Solution: 16:43:04 (under consideration) 16:43:04 Nick's problem is real I'm just looking for any way to make this work and not seeing a better alternative. 16:43:17 - Signal "3" and permitted uses (here: Short-term retention) 16:43:24 rigo: we have to have qualifiers in spec for exception we dont have qualifier yet 16:43:25 - "3" allows processing under OOBC 16:43:31 ... and we need one 16:43:37 - If OOBC is used "edit" allows to learn more. 16:44:01 qualifiers are optional, so they aren't going to be sent regardless 16:44:12 we have an open issue that that list of qualifiers will be updated to match the Compliance document, when we have settled on them 16:44:28 (yes) 16:44:42 yes 16:44:53 schunter: i suggest sending '3' if allows using oob consent and having to provide link 16:44:59 q? 16:45:00 I'm wondering how we can get transparency outside DNT, just as consent is out of band 16:45:00 q+ 16:45:05 ack npdoty 16:45:06 ... suggest updating text and get feedback 16:45:23 nick: not clear who the solution is better for 16:45:25 -RichardWeaver 16:45:28 i have mixed feelings 16:45:29 q? 16:45:29 ... 16:45:38 schunter: 1 less signal 16:46:05 q? 16:46:13 scribe's head is about to explode ;) 16:46:19 rigo, you're wonderful, but don't make me beat you :-) 16:46:25 okay to remove text, though I would prefer to keep the text until after the WG meeting so that we can talk two alternatives at the F2F 16:46:30 schunter: not full agreement... so let's update spec 16:47:00 ... let's put both options in spec and discuss at F2F 16:47:04 i share nick's concerns, but also am concerned that in practice the other flag will also be non-transparent given the complexity proposed and the reliance on user agents to present the info to the user 16:47:06 q? 16:47:10 yes 16:47:17 q? 16:47:29 +1 to fielding to keep text and add markup that there is another option 16:47:42 nick: need anyone else to review? 16:47:53 I'd like to brainstorm other ways of notice 16:47:57 But I don't have anything solid here 16:48:08 Just a sense that perhaps there is another approach for this particular edge case 16:48:09 q? 16:48:10 schunter: roty to provide text 16:48:13 i think one third alternative 16:48:14 ... rest to review 16:48:15 already on the table 16:48:16 action: fielding to add text noting the option of not indicating out-of-band consent 16:48:16 Created ACTION-394 - Add text noting the option of not indicating out-of-band consent [on Roy Fielding - due 2013-05-01]. 16:48:22 is to just not have special consideration for OOBC 16:48:23 s/roty/roy/ 16:48:25 happy to add more text if someone wants it -- send to mailing list 16:48:36 Topic: ISSUE-168 What is the correct way for sub-services to signal that they are taking advantage of a transferred exception? 16:49:01 schunter: explain by example 16:49:03 issue-168? 16:49:03 ISSUE-168 -- What is the correct way for sub-services to signal that they are taking advantage of a transferred exception? -- open 16:49:03 http://www.w3.org/2011/tracking-protection/track/issues/168 16:49:05 dan, I think P or L will not alter browser behavior, so rather say 3t 16:49:16 apologies all, must take off 16:49:26 -Dan_Auerbach 16:49:32 ... user vists sites and site is using ad network. site says i am okay sending DNT:0 to ad network 16:50:17 ... site passes on consent and i will get 'C' signals from ad providers I never interacted with 16:50:23 having P may mean: "give me all data and accept all cookies because I may have consent about it". Which is much more unclear than "I can keep data for 48 hours to determine what I'm allowed to do with it". 16:50:45 ... browser will be confused b/c it didnt directly interact 16:51:15 ... do we want to tackle it all? or too much or a corner case? 16:51:16 q? 16:51:16 q+ 16:51:22 ack rigo 16:52:11 rigo: b/c of ad auction system we need a specific transitory permission for ad networks to deal with the data that was initially given to 1st party 16:52:22 ... signaling is transparency issue 16:52:34 ... we dont need explicit flag for everything we do 16:52:41 .... hinders deployment 16:52:53 q? 16:52:54 ... make more complex with limited gain 16:52:56 q+ 16:52:59 ack aleecia 16:53:01 schunter: other opinions 16:53:18 aleecia: complexity isnt only prob 16:53:24 ... transparency is vital 16:53:34 without this feature, browsers can not double-check exception claims. 16:53:37 q+ 16:53:42 ack np 16:53:45 ... needs to be some mechanism to represent propogation of consent 16:53:56 nick: imp difficulty is unclear to me 16:54:07 ... _ ---__--___ 16:54:18 (Nick breaking up; best scribing ever) 16:54:33 Works in both directions - bascially in server-to-server transactions that originated in a client-side request, are DNT signals to be conveyed (0 or 1)? 16:54:57 This distinguished "I got the exception from you" vs "somone else gave it to me2 16:54:59 " 16:55:16 Nick, many online bids occur server-to-server, not thought client-side 302 redirects. 16:55:23 ... destinction are already made between DNT:1 requests 16:55:37 -[FTC]? 16:55:39 paulohm has left #dnt 16:55:48 rigo?: it speaks to sub-services 16:55:51 -[Microsoft] 16:56:01 q? 16:56:04 Wileys, but for the response header to the user, only direct to-the-user requests would need to provide the signal 16:56:05 I'm on the call 16:56:06 ... need to exchange sign to sub service and back 16:56:22 schunter: are headers coming from 1st party or sub service 16:56:42 shane: origical ad call froms from exchange itself 16:56:58 ... but redirects cold include 302 redirects 16:57:35 right, the bid participants don't need to send a tk: response header because they're not sending a response to the user at all 16:57:39 ... then there are bid participants via server-to-server call and outside of UA interaction 16:58:22 ... some participants dont interact with UA at all 16:58:55 rigo: this is why i said we need to invvent transitory perms, but carry limits related to the transitory perms 16:59:01 we don't have to add anything to the protocol for the cases where server-to-server communication is taking place; it's up to those servers to indicate that the request is DNT:1 or not propogate the communication at all 16:59:06 ... signalling back to UA is a different issue 16:59:21 ... s/different/another/ 16:59:27 Nick, they should equally be able to convey DNT:0, correct? 16:59:33 Wileys, right. 16:59:34 schunter: how to approach this then? 16:59:37 -WaltM_Comcast 16:59:41 I'm okay with that 16:59:45 nick: i'm confused. 17:00:15 I think this is too complex for a phone call … we need a whiteboard diagram that shows the sequence of requests to each party and then explain why some get DNT:1 and others get DNT:0 and which ones the user has actually consented. Maybe. 17:00:21 ... my understanding that some 3rd parties are geting redirectd and would say they have consent, but for s-2-s calls wont have it? 17:00:33 ... i think we might need a placeholder for this issue 17:00:51 I'm not seeing how DNT:0 propagates in a sane way, ever. 17:00:56 I agree whiteboard would help, but I think we are managing even so. :) 17:01:01 schunter: are you suggesting have flag and allow for transferring of signal and move on? 17:01:03 Maybe Roy can convince me with a whiteboard but... 17:01:06 q? 17:01:09 rigo: i am okay with that 17:01:10 q+ 17:01:12 Yah: just shoot it 17:01:15 q? 17:01:19 ack r 17:01:21 schunter: anyone canot live 17:01:21 ... with it 17:01:23 ? 17:01:24 hwest has joined #dnt 17:01:24 ... ? 17:01:27 I am not convinced. 17:01:34 maybe we can put it in Pending Review and if when we have a whiteboard conversation we find out something different, we can make a change? 17:01:45 +1 to Nick's procedural suggestion 17:01:59 HHH: some people might no follow flow and therefore the issue, maybe talk about at f2f 17:02:03 ok 17:02:09 fielding, being not convinced is a privilege reserved only for npdoty 17:02:11 s/HHH/rvaneijk/ 17:02:16 me? 17:02:18 s/HHH/rvaneijk/ 17:02:20 schunter: follow nick's suggestion and discuss at f2f 17:02:28 I don't see how this works for users at all. Not fails a little at the edges, but toasts the value of DNT and in unpredictable and invisible ways. 17:02:36 So I'd love to hear more 17:02:43 whoi is talking ? 17:02:51 roy>? 17:02:51 (roy) 17:02:53 Roy right now 17:03:11 gracias 17:03:35 schunter: shane, would this work? 17:03:46 I think rather than a complex proposal, we just need to fill in the value currently in the text as "XX" 17:03:50 roy: can shane write up and i'll add to spec 17:03:56 -Jonathan_Mayer 17:04:01 shane: i'll put togehter a slide for f2f to discuss 17:04:11 ... then we can decide on inclusion for TPE 17:04:18 schunter: i like 17:04:46 nick: just need a placeholder. that was my only concern 17:04:54 ... i can add the text and pending review 17:05:19 action: shane to provide a couple slides explanation of exchanges / redirects / server-to-server 17:05:19 Created ACTION-395 - Provide a couple slides explanation of exchanges / redirects / server-to-server [on Shane Wiley - due 2013-05-01]. 17:05:28 hwest_ has joined #dnt 17:05:29 Issue-143? 17:05:29 ISSUE-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- closed 17:05:29 http://www.w3.org/2011/tracking-protection/track/issues/143 17:05:33 schnuter: no more issues on agenda 17:05:33 Can we discuss that today? 17:05:37 ... whoa 17:05:45 +q 17:05:48 q? 17:05:51 ack Wil 17:05:51 ... open for any other topics 17:05:56 action: doty to provide pending review text for signal of transferred/redirected exception (issue 168) 17:05:56 Created ACTION-396 - Provide pending review text for signal of transferred/redirected exception (issue 168) [on Nick Doty - due 2013-05-01]. 17:06:04 shane: can we talk about issue 143 17:06:08 ... large issue for us 17:06:18 ... tied to who is setting the signal 17:06:20 aleecia, I tend to agree, but maybe it would be possible if we reduced the allowed exception to read-only? i.e., transfer the exception to use existing data, but not to save this request data? 17:06:22 ISSUE-143? 17:06:22 ISSUE-143 -- Activating a Tracking Preference must require explicit, informed consent from a user -- closed 17:06:22 http://www.w3.org/2011/tracking-protection/track/issues/143 17:06:54 ... 143 is about if someone other than UA setting DNT signal that they identify themselves as the setter 17:07:01 use https 17:07:05 issue 143 is closed, with pointers to 194? 17:07:07 existing data. I'm not sure what you mean (cue HTTP is stateless) 17:07:10 schnuter: hmmmm. 17:07:16 ... good issue 17:07:31 shane: maybe we discuss later due to how big it is 17:07:40 q+ 17:07:46 schunter: how can we make this discussion more productive at f2f? 17:08:02 issue-194? 17:08:02 ISSUE-194 -- How should we ensure consent of users for DNT inputs? -- open 17:08:02 http://www.w3.org/2011/tracking-protection/track/issues/194 17:08:24 aleecia, I mean the ad auction is about finding a premium based on past behavioral data -- the current request cannot be added to that data, but older data can be used to make the ad personalized 17:08:25 shane: f2f discussion would be okay. one conern is size addtion to header... no one has a problem with doing it, it is more about the technical imp 17:08:43 q? 17:08:48 q+ 17:08:54 schunter: no formal discussion now, but would like to hear feedback here with thots about this 17:09:04 q+ 17:09:06 ... unclear how to make this work 17:09:16 -efelten? 17:09:21 q? 17:09:24 this is assuming that the user has consented to personalization for *this* site. 17:09:24 ack np 17:09:48 nick: i would have concern with trying to id software in the signal 17:10:06 ... this could go against decreasing fingerprint-ability 17:10:15 ... i do understand why this is needed 17:10:16 roy, i'm not sure that solves anything? 17:10:33 +q 17:10:35 ... maybe add an additional char to represent default versus user setting 17:10:46 q+ 17:10:59 Nick: user preference vs default setting 17:11:05 ack ri 17:11:27 ndoty, I don't think we want to condone the default setting by incorporating it in the spec 17:11:31 rigo: user choice has 2 things 17:11:47 s/i do understand why this is needed/i do understand the concern, why servers would want to distinguish software other than the user agent setting dnt:1/ 17:11:54 ... group agree defualt should be DNT unset 17:12:15 ... user choice should be required for DNT:0 17:12:28 Chris_IAB, I agree, it would be a non-compliant signal (that is, we would indicate in the spec that you can signal it but that it isn't compliant, the way we do with "!") right now 17:12:34 ... getting to DNT:1 should be symmetric with getting to DNT:0 17:12:36 q? 17:13:20 -BerinSzoka 17:13:21 npdoty, why would we build a "non-compliant signal" into our spec? Our goal is compliance with the spec, not giving those who want a different flavor of DNT an easy way out of their non-compliance 17:13:34 npdoty, that would be a slippery slope 17:13:39 schunter: issue that other tools can "spray" DNT settings 17:13:40 Chris_IAB, a rare instance of your vehemently agreeing with jmayer! 17:13:56 ... shane's concern "how do i get reliable channel? 17:14:00 ... " 17:14:08 q? 17:14:11 Chris_IAB, some in industry have asked for ways to signal non-compliance, even though we would need to be explicit that defining the signal does not make it a compliant response 17:14:12 shane: yes, that is my concern 17:14:32 -Brooks 17:14:52 The goal is to force transparency of who is setting the DNT signal 17:14:54 q? 17:14:56 schunter: want to be able disctiguish who set signal 17:14:56 isn't that what dnt:1 is? :-) 17:15:10 If we don't have that, I don't believe DNT will be implemented by industry 17:15:19 npdoty, how about simply adding an identifier that "we are not compliant with the spec"? Seems a bit silly to me, but it would be better than parsing out fine delineations 17:15:20 q? 17:15:23 q? 17:15:25 I am not seeing the point here -- so invalid sender is going to signal they are invalid -- it will be identified by product charateristics (if ever) 17:15:28 ack ale 17:15:29 ... back to queue 17:15:43 aleecia: matthais raise a point i want to re-visit 17:15:47 s/so invalid/no invalid/ 17:16:22 fielding, yes, I have some doubts about how practically helpful it would be 17:16:42 ... anti-virus sftware that was setting DNT for users and did in registry and therefore rending UA unable to distinguish how it was set 17:17:00 ... we dont have solutions how to handle conflicts 17:17:01 I believe a signal stating "I'm a valid DNT signal" is a waste of time. Just tell who you are and I'll determine if you've sent a valid DNT signal or not. 17:17:12 ... furthermore, how to even know if conflicts occured 17:17:21 q? 17:17:23 ... shane, technically how would this happen? 17:17:23 would someone setting the signal actually want to identify that they are non-compliant? 17:17:26 ack Wil 17:17:32 shane: multiple options 17:17:48 ... some change in-flight and some at registry level 17:17:59 ... in either case, 17:18:22 ... in registry, if DNT is set other than by user, they would need to convey in registry as well. 17:18:30 ("via the UA UI" is one of the best phrases I've heard spoken this week) 17:18:30 Wileys, self-identification won't work either -- they'll just lie 17:18:36 ... for in-flight, they would add their id at the same time 17:18:43 q+ to suggest that if it can't do exceptions, ignore it 17:18:45 q? 17:18:46 hwest has joined #dnt 17:18:47 Roy, but I can go after liars legally :-) 17:18:48 ack Chris 17:19:04 chris: 17:19:08 Rigo, how many times do we need to go 'round on that point? Argh. 17:19:23 Wileys, aren't there already legal implications to non-compliance with the spec when claiming compliance? 17:19:35 aleecia, isn't this one option? 17:19:45 ... if they are motiviated to lie, maybe we have a signal to say i am non-compliant 17:19:46 it's one we've said no to so very very many times 17:19:58 chris, are you in a cave? 17:19:59 like a zombie, it keeps lumbering out of the grave 17:20:01 q- 17:20:05 q? 17:20:21 matthias? 17:20:23 bad phone connection-- sorry, did you catch me? 17:20:23 are you on mute? 17:20:24 schunter, on mute? 17:20:32 -hwest 17:20:35 Nick, I don't believe so if they are stating something different on their side. If the standard requires the party setting the DNT signal name themselves and they don't, I now have grounds for a deceptive claim. 17:20:47 schunter: concern, no viable tech solution that is robust enough 17:21:00 ... would like to have a bunch of tech proposals 17:21:01 kulick, to clarify for the record, it would be "if they are motivated NOT to lie" 17:21:17 chirs, sorry 17:21:19 Remember, the cost of sending additional data on every request MUST be justified on Internet-scale terms 17:21:31 DNT:, 17:21:47 ... send proposals to the mailing list and get responses 17:21:52 given a choice between user agent and "I comply," I'd go with "I comply" to avoid the issues Nick raised 17:21:55 ... need options to compare 17:21:58 Wileys, if a party indicates a user agent string that you find deceptive but they're clear about it on their site, do you have more of a deception claim than if they sent dnt:1 and are non-compliant but claim compliance? 17:22:05 Roy, agreed - so how do we make is "smaller" and still meet the need. 17:22:12 and it does create an additional hook for enforcement 17:22:18 but, I don't see how we get there - 17:22:31 if one UA isn't compliant but three others are, which one do we send? 17:22:43 q? 17:22:44 ... make sense? 17:22:49 q+ 17:22:49 we'd need an array 17:22:55 q+ 17:22:56 of all the UAs 17:22:59 ack ri 17:23:03 hwest_ has joined #dnt 17:23:06 but some are in flight and some are not... 17:23:12 ick 17:23:12 rigo: concerned that we make untestable reqirements 17:23:13 maybe... if the option is "this is my signal that I am non-compliant with the spec" 17:23:49 q? 17:23:49 ... servers cannot see into a user's computer... we are in untest territory 17:24:00 Rigo, if we don't have this, then DNT will likely not be adopted 17:24:02 "I'm non-compliant" is parallel to "I see your signal but don't do DNT." These are both ok with me. I just don't see how we *do* the UA side in a reasonable way. 17:24:13 schunter: how would you solve the problem 17:24:25 ... some product sprays DNT:1 17:24:27 (Ok = I can live with, not that I like. But, details) 17:24:50 rigo, what do you mean by "untested signals"? 17:24:59 Wileys, I don't think it can work -- what we would need is discovery within the user agent itself (like testing to see if javascript is enabled) but that still wouldn't work for user-installed proxies. Ultimately, this issue needs to be solved by social action, not technology. 17:25:03 rigo: it is difficult situation, but sending untestable signals 17:25:27 ... there is no clear tradeoff 17:25:36 fielding and Wileys, I think I agree with fielding on this 17:25:37 ... haveing untestable signal does buy anything 17:25:55 oof 17:25:55 +1 to fielding (I was just giving possible alternative suggestions) 17:25:55 ... have to solve by clear reqs and rules in compliance 17:26:00 -JeffWilson 17:26:09 Roy, if we can't find a solution, I believe DNT is DOA 17:26:09 rigo, not just social, but also potential regulatory (ie FTC encorcement?) 17:26:17 schunter: legacy prob also 17:26:20 -Joanne 17:26:23 maybe, yes, unfair competition 17:26:32 -> to Chris_IAB 17:26:38 if DNT is sent and it is non-compliant, that's probably a deceptive behavior 17:27:10 ... we should look at some and see if they provide partial solutions... important that we respect the concern and try to solve 17:27:16 q? 17:27:19 ack np 17:27:23 ... we might fail... 17:27:35 nick: procedural question 17:27:44 ... 143 was closed based upon 194 17:27:46 If the working group does not pressure Microsoft to change its bad behavior, then I agree that DNT is well past dead. There is no point in continuing if folks on the side of "good" are not willing to police their own bad actors. 17:27:49 Without a solution here, we have no balance within DNT. We're forcing high levels of transparency on the Server side (URI resources, TSAs, etc.) and almost none on the UA side. 17:28:04 ... we could re-open but just for signially as it is broad 17:28:20 schunter: i will make sure there is an open issue 17:28:25 ... for this 17:28:47 Shane, you get that I'm saying "how do we do this, I don't see how" and not "we shouldn't do this," right? So far your proposal doesn't work yet. 17:28:51 Yes 17:28:58 schunter: you okay with approach mentioned? 17:29:01 Matthias - yes 17:29:02 it is is ISSUE-194 that superseded ISSUE-143 17:29:05 q? 17:29:08 yes on IRC 17:29:16 -Aleecia 17:29:17 shane: yes 17:29:29 schunter: good use of last 2o mins, nice work 17:29:30 reminder: register for the f2f if you expect to attend 17:29:43 schunter: we will do whiteboard on this at f2f 17:29:44 -Rigo 17:29:46 -moneill2 17:29:57 ... may 1 for next meeting... bye 17:29:57 -[FTC.a] 17:29:59 -Peder_Magee 17:30:00 -rvaneijk 17:30:01 -npdoty 17:30:01 -samsilberman 17:30:02 rrsagent, please draft minutes 17:30:02 I have made the request to generate http://www.w3.org/2013/04/24-dnt-minutes.html rigo 17:30:02 -[Mozilla] 17:30:02 -schunter 17:30:03 -prestia 17:30:03 -eberkower 17:30:05 forgot to ask about Acks 17:30:06 -hefferjr 17:30:08 -WileyS 17:30:16 Zakim, list attendees 17:30:16 As of this point the attendees have been kulick, schunter, +1.609.258.aaaa, eberkower, npdoty, +1.202.347.aabb, Fielding, rvaneijk, Aleecia, +1.202.326.aacc, WaltM_Comcast, 17:30:19 ... prestia, paulohm, hwest, +1.916.641.aadd, hefferjr, RichardWeaver, sidstamm, Joanne, Rigo, [Microsoft], WileyS, Peder_Magee, David_MacMillan, Chris_IAB, JeffWilson, 17:30:19 ... Dan_Auerbach, +1.781.482.aaee, samsilberman, Jonathan_Mayer, [FTC], Chapell, Brooks, BerinSzoka, moneill2 17:30:24 rrsagent, please draft the minutes 17:30:24 I have made the request to generate http://www.w3.org/2013/04/24-dnt-minutes.html npdoty 17:30:37 -kulick 17:34:10 -Chapell 17:34:16 -Chris_IAB 17:34:17 -Fielding 17:34:18 -David_MacMillan 17:34:19 T&S_Track(dnt)12:00PM has ended 17:34:19 Attendees were kulick, schunter, +1.609.258.aaaa, eberkower, npdoty, +1.202.347.aabb, Fielding, rvaneijk, Aleecia, +1.202.326.aacc, WaltM_Comcast, prestia, paulohm, hwest, 17:34:19 ... +1.916.641.aadd, hefferjr, RichardWeaver, sidstamm, Joanne, Rigo, [Microsoft], WileyS, Peder_Magee, David_MacMillan, Chris_IAB, JeffWilson, Dan_Auerbach, +1.781.482.aaee, 17:34:19 ... samsilberman, Jonathan_Mayer, [FTC], Chapell, Brooks, BerinSzoka, moneill2 19:25:08 schunter has joined #dnt 20:08:26 rigo has left #dnt 20:21:53 schunter has joined #dnt