See also: IRC log
<Chris_IAB> just joined the call
<dsinger> yes
<Chris_IAB> I am 661-100-xxxx
<npdoty> scribenick: hwest
<Marc_> 202 344 4272 is Marc
<npdoty> scribenick: hwest
peterswire: A doc was sent
around, draft framework
... Face to face next Monday, starts noon at Apple's
facilities
... We will have the normal Wednesday call
... Following up on today
... This document reflects a need to have a list of issues we
expect to discuss
... it is for discussion, rather than reflecting an
agreement
... It's a path for discussion
... This is informed by DAA work, so Stu will explain
Stu: As everyone knows, we've
been trying to figure out what DNT will mean going forward and
how it relates to the DAA process, figure out a way to honor
White House comittment while addressing concerns from
stakeholders
... Occurs to me that there are a couple issues in particular
we need to make progress on
... Would help the DAA in moving forward
... In the exceptions category (DAA terminology) narrow the
exceptions [our term is permitted uses]
... We're committed to figuring out a process that would do
that
... The other item is how to ensure that it is the consumer
that makes the choice
... Potential tech and legal avenues there
... Want to ensure that the consumer is makign the choice
... whether that's an entity choosing to turn it on or off
rather than the consumer
... From the DAA perspective, we can commit to talking through
those issues
peterswire: Can you walk through the document a little bit?
Stu: Whatever makes sense.
peterswire: Best if you can briefly go through, then we can clarify meaning.
Stu: Number 1 - DNT would be
honored by third partiesthat collect tracking data, and these
third parties would not collect tracking data on any browser
where the consumer has activated the DNT functionality. Third
parties could still collect data for the narrow set of
permitted uses. For DNT:1 users, if an entity has a permitted
basis for collection of such information, the entity can use
the data only for the permitted uses.
... I knwo there's been a concern that if data was collected
for a permitted use it shouldn't be reused for non permitted
uses.
... 2 - Non-compliance with DNT would be a DAA violation.
... This is important, 19 cases, company representations in
respect to these principles are in most cases enforcable by the
FTC.
... W3C isn't self-regulatory, this would have the DAA help
enforce.
... 3 - The DAA would modify its current codes, notably
including the current “market research” and “product
development” exceptions to collection limits, including
evaluation of potential retention limitation.
<justin> If you say you're following the W3C standard, that's FTC enforceable. FWIW.
Stu: As we further evaluate that,
would narrow unique IDs or not use them at all if that's
possible.
... Retention limitations may be possible, length probably
differs on each one, but in advance of the meeting I think
there's a lot of work there.
... 4 - For DNT:1 users, there would be no persistent IDs if
there is not a permitted use. The use of persistent IDs for
permitted uses would be limited to the extent practical, and
any such persistent IDs would be used only for any such
permitted use. There would be of a broader study or effort to
address data hygiene in the advertising eco-system, with the
aim of identifying feasible, privacy-protective practices over
time.
... I know that's very important for the consumer community,
very much in the spirit of the White House agreement. Will
obviously need to hear from stakeholders here.
<moneill2> I like it so far
<jmayer> +q
Stu: We have to evaluate what the need is under those permitted uses, and what's practical now and in the future, to get away from unique IDs
<jmayer> "I'm certainly not committing at all that we can get there... that there's no unique ID..."
Stu: Not committing that we can
get there, but will evaluate in good faith
... 5 - We would determine a way to have the DAA codes become a
way for compliance with the W3C syntax. Thus, the DAA standard
with the above modifications would be the working standard for
companies. Adapt the W3C standard to conform to this approach.
DAA would support and enforce against that.
<moneill2> limited duration cookies would work
Stu: Would be modifying the code
that they are already following. All of these things obviously
require process.
... This harmonizes so that there's one, enforceable,
standard.
<moneill2> as long as 1st party cookies cannot be shared with third-parties
Stu: The changes to the code and the standard, if we're able to get there, would not be turned around later; good faith.
<npdoty> ... harmonize these so it's one standard that's enforceable, rather than a panoply
Stu: Tenet of the dialog for the
last couple years is that the default would be off by choice,
we understand the various decisions and discussions of browser
makers.
... For this to be workable for the business community and
provides consumers choice we'd want to make sure the setting is
consistent, standard, and off.
<scribe> ... Done through browsers, not user agents.
UNKNOWN_SPEAKER: Consumers who use the major browsers under this standard would all have the ability to make this choice. UAs we leave for another day.
<efelten> Non-browser UAs would be prohibited from following the standard?
UNKNOWN_SPEAKER: This is the way to get something concrete and achievable now.
<npdoty> ... if we're all serious about this ... browsers, which is how content is viewed .. other user agents leave for another day
UNKNOWN_SPEAKER: Main theme is DNT flag not being set by someone without consumer choice.
So UAs would be prohibited from setting browser flag.
<moneill2> api to set DNT from certificated webpage (with authentication key sent in DNT header)?
scribe: b. The browser choice setting would be available in the browser settings panel, accessible from the traditional browser settings—not through an installation process or other similar mechanism.
<sidstamm> efelten, that's what I understand from reading the pdf
<justin> efelten, Yes, 6(a) seems to say that non-browsers can't send DNT signals
scribe: This is my understanding
of what has been discussed at W3C. Central to White House
announcement, from DAA perspective.
... c. Develop technological measures that, together with
non-technological measures, greatly reduce the risk that anyone
other than consumers are setting the choice. Develop a process
on how to achieve this in a short time frame (3 months).
... Point is that it's not a year process, this has to be
achievable. W3C should figure out the various strains of how
you do that and put the people who configure those things off
to do that. As a lawyer, I'm not in a good place to figure that
out.
<bryan> we need to understand clearly what is meant by "the risk that anyone other than consumers are setting the choice" - who is the consumer, and who may be acting on their behalf
scribe: d. Brief and neutral
description of the impact of turning the setting on. The
browser choice setting would communicate the following to
consumers:
... Another tenet of the White House announcement.
... i. The fact that if the browser choice setting is activated
it limits collection and use of web viewing data for certain
advertising and other purposes; ii. The fact that when the
browser setting is activated some data may still be collected
and used for certain purposes and a description of such
purposes; and
... iii. The fact that if a consumer affirmatively allows a
particular business to collect and use information about web
viewing activities that the activating the setting will not
limit collection and use from such entity.
... Main purpose of that is be clear with consumers what is
actually happening and not happening. Construct of DNT to some
consumers would have a different meaning due to
interpretation.
... Goal isn't to have some long page or persuasion on either
side, but to neutrally lay out those three bullets in
user-friendly language.
peterswire: Thank you for that
explanation.
... For today, many people will have different reactions,
questions on IRC.
... In trying to think about how to be productive today, I
thought we should do clarifying questions about the words here.
Folks may want changes, but let us go through the document for
clarifications and frame it that way
... So first, clarifying questions on what it means rather than
overall statements.
jmayer: Two questions about the
doc. The first is, who does this document represent? Whose
position does it represent?
... Second question, sense of the delta here. I think I have an
understanding of what the proposal was, but I don't have a
great understanding of how this differs from what we've heard
before.
Stu: The document itself was
derived primarily yesterday resulting from a conversation I had
with Peter, this hasn't been approved by the DAA as a whole
though I am speaking on their behalf today.
... I'm sure I'll get questions and comments on it from DAA
members now and later.
... The timing is just because of the timing of our
conversation this weekend
... Recognizing that there's a deadline coming up in a couple
months, so I suggested some items to focus on.
jmayer: So this reflects your position?
Stu: Yes, this reflects my
thoughts on a path forward.
... This is a means for discussion, rather than a final
document by any means.
... Could solve some open items here, just represents my view
of a constructive path forward.
<dwainberg> I'm super curious now which of the advocates, if any, have been in on this
Stu: Delta from previous things
include the market research and product development
narrowing
... And look again at the other DAA exceptions
... Which is, I think, a narrower list than the list discussed
at W3C/
<dsinger> hm, "DAA exception" is like "W3C permission"?
Stu: Also recognition that unique IDs wouldn't be used for DNT:1, try to limit that for permitted uses
<npdoty> like "permitted use", I think, yes, dsinger
Stu: There will be questions
within the business community, but there's a logic there that
makes sense to pursue
... Further nail down the hygiene in the advertising
ecosystem
... I haven't been part of the W3C discussions back and forth,
my sense is that every idea under the sun has been floated,
looking for a path forward.
... I know that DAA text has been suggested as part of the W3C
text, but haven't suggested bringing the two together this
way.
peterswire: Language in 1 saying that data collected for a permitted use may only be used for permitted use
Stu: That's always been what's intended in the DAA code, but some don't believe that. Should help clarify.
<npdoty> it sounds like there's a delta from the DAA code, based particularly on exceptions/permitted uses around market research / product development and perhaps purpose limitation/identifiers
<npdoty> but there might also be an interesting delta from the current compliance spec
justin: A couple clarifying
questions. How does this intersect with cookie controls?
Limitations on the types of UIDs that can be used, or
fingerprint technologies?
... Would you require browsers to turn on third party cookies
as part of default settings?
... And in the Amsterdam meeting, DAA folks had suggested
adding marketing or advertising as a permitted use, is that on
the table? Or just the existing permitted uses int he W3C
document?
<jmayer> I'm still uncertain about how this differs from previous advertising industry proposals within the W3C process. The substance is borrowed entirely from the DAA.
<npdoty> I think the delta from our current documents would be mostly on the UA restriction side?
Stu: As I understand, marketing permitted use came up as industry, who believes they create tremendous value here, this is an area that everyone on all sides is passionate about. Specifically, marketing and advertising would not be a DAA exception in this path.
<justin> Marketing and advertising NOT proposed as exceptions --- ok, that's whatI thought.
<jmayer> Nick, that seems a fair characterization. Roughly half of this proposal is about user agent restrictions, I would note.
<moneill2> +1
<johnsimpson> Q?
<npdoty> ... part of a heated discussion, to answer, no, marketing and advertising wouldn't be exceptions
Stu: To the first question,
cookie controls, that's an area that has caused a lot of
concern in the business community particularly.
... I think the term you used, would we 'require' browsers to
turn on by default, we wouldn't require anything. DAA sstandard
would have the defaults as described. Browsers choose at their
own discretion, we would hope that browsers would choose the
standard.
... I guess the question would be what is permitted under DAA
or W3C; if the current Safari browser blocks cookies, so long
as we're providing the transparency and uniform choice of the
DAA princoples, would not be a violation to use a different
technology if the cookies are blocked.
... If Apple adopted these tools, and separately had a block
cookies setting, other technologies could be used as long as
they provided choice.
... If consumer set a DNT flag, then no technology could be
used.
<npdoty> ... other technologies [fingerprinting?] could be used, if a standard choice was presented and cookies were being blocked
<justin> OK, so what I think Stu is saying: if your browser blocks cookies by default but DNT is only in browser settings, DAA would require members to honor browser's DNT instruction
<justin> +q
Stu: Cookies can already be blocked today, but folks want to address all technologies. DAA system has always been tech neutral. If DNT:1 is on every browser, that should work regardless of tech.
rvaneijk: Would this mean opt out cookies are redundant? If not, what trumps/
Stu: First question, we don't have any plans to phase out opt out cookies, it's a system that works.
<npdoty> we currently have text in the Compliance spec on how to handle cases where opt-out cookies and DNT signals are present simultaneously
<jmayer> If I understand correctly, Stu's position is that third parties would be able to circumvent browser technical countermeasures under this new proposal.
<npdoty> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#interactions
Stu: Icons give transparency and lead to that, would not be good to remove 2 million opt out cookies set through the DAA. Our intention is that this would be complementary to the DAA program.
<justin> jmayer, That's not explicitly in the proposal, but I'm not sure it's new either way.
<Mike_Zaneis> @Justin I'm not sure that's what Stu said regarding cookie blocking defaults.
Stu: Second question, haven't given it a lot of thought, only situation where there's conflict is DNT is unset and cookie opt out is set (or vice versa) and the answer would have to be that if either is set, then they are opted out.
<npdoty> jmayer, I interpreted that as saying that it wouldn't be a DAA violation to circumvent cookie blocking with other techniques if a service supported DNT
<sidstamm> I heard what npdoty heard here, jmayer
Stu: That's something worthy of further discussion. This is an additional tool, not limiting.
<rigo> I think jmayer is not reflecting it correctly. It just means that outside DNT we are still in arms race
justin: Choice would only be in browser settings, presenting on installation is invalid, why is that?
<sidstamm> are "setup wizards" allowed to set DNT?
<jmayer> Nick and Sid, since a company is required to honor Do Not Track, yes, both would happen. But note that DNT and countermeasures might have very different impacts. In particular, DNT might result in continued collection of a user's browsing history.
<justin> sidstamm, No, per 6b.
<sidstamm> I don't think it's clear
<npdoty> ... mentioned that was part of the White House agreement
Stu: We need a consistency, we need it in one place, there's a lot of concern that providing it at install is essentially an opt in, the way it can be presented. Could be encouraging of opt outs. Strong concern from business community
<justin> sidstamm, Well, Stu is clarfifying that right now :)
Stu: that we shouldn't be encouraging opt outs from responsible players. Trying to make it neutral, rather than favor one way or the other.
<sidstamm> justin, I think there's a difference between "preselection" in a wizard (hidden, nonobvious) and forcing the question by requiring a yes/no to the question on setup
<jmayer> I think this is what was just said, attempting to capture accurately: "We think, as a matter of policy, we shouldn't be encouraging opt outs."
<jmayer> +q
peterswire: The words on the page would be a technology neutral mechanism (DNT) will be built into the browser, one click (DNT on) would be honored by all DAA members. stu: Also enforced against non DAA members, by the BBB and DMA.
<justin> sidstamm, I agree, but 6b and Stu's explanation say that unclicked inclusion within wizard is insufficient as well.
<npdoty> enforced against non-DAA members by DAA/BBB?
(oops I think I mixed some of that up, some was Stu)
<sidstamm> I see, justin, it should be clarified.
jmayer: Help me understand how the DMA and BBB would enforce this if a website doesn't say they honor DNT, if they're not part of DAA?
Stu: I think what we're really
talking about is third party tracking, not websites. Under the
current construct, people are participants of the code - DAA
members - have license agreements and contracts that are
specific and strong.
... Has been demonstrated that compliance is higher than
compliance with statutes. FTC has documented that.
... Given the closeness of the ecosystem, you get almost 100%
compliance.
<npdoty> ... condition of membership with DMA and codes of IAB and NAI, broaden the pool of covered companies
Stu: In addition to DAA
participants, condition of membership in DMA, IAB, NAI, so
broadens the pool
... Beyond that you have BBB, serves to change behavior.
... The fact that an investigation occurs, almost without fail
companies have changed their practices.
<justin> +q
<Chapell> First party can't share if DNT:1, correct?
Stu: The other thing that I've seen is that if the company doesn't get caught in that vast net, if the BBB or DMA refers the case to the FTC, even if the FTC does not find a specific legal hook, inevitably those companies are bad actors in other ways, and they find other ways to prosecute under Section 5.
<moneill2> Chapell, yes
Stu: When you get a standard that's followed by 90+% of companies, FTC unfairness authority kicks in where it otherwise wouldn't
<Chapell> Thanks, moneill2
<justin> stu: If the DNT standard is widely followed, FTC should be able to enforce against non-DAA members through enforcement.
<moneill2> good point
rvaneijk: Approach sounds like a DAA move forward, what if the W3C standard turns out to be more strict than the DAA approach?
<npdoty> ... proposal would be a nice to have if the W3C standard and the DAA are aligned
<rvaneijk> to me the approach sounds like seperate track, DAA way forward,with a nice to have if the W3C standard is going be aligned. What are your views on that? and what if the W3C standard turns out to be stricter then the DAA approach?
<npdoty> ... you can look at the MSFT default switch and what companies have honored, and companies are not following that
<npdoty> of early implementations, I'm not sure which are actually ignoring IE users' DNT signals
Stu: If the W3C is more strict
than the DAA approach, would have to see what it is, our strong
position is that a huge cross section of the business community
has developed tools here. We're ready to make them
better.
... If a standard comes out that blocks cookies or undercuts
the value our member companies provide consumers, I don't think
they will follow it.
<jmayer> I'm now more confused. Stu claimed this would be enforceable against non-DAA members. But then his discussion focused on incentives and a (disclaimed) reach theory of FTC authority.
<moneill2> cannot see how wrc tpc could be less
peterswire: Stu said earlier that
there is work to be done to see how the two efforts would work
together.
... Stu, you mentioned third parties. How about first
parties?
Stu: The standard for DAA on transparency, one or the other has to comply; different obligations on each entity.
<npdoty> jmayer, I thought initially the extension was about DMA, IAB and NAI membership; I think there are different views on the FTC authority
Stu: They have an independant obligation. In respect to choice, raised that first parties could collect data and aggregate through a third party, do same thing as a traditional ad network. Under DAA, drafted to not have a loophole there.
<jmayer> Nick, all DMA and IAB members would be required to subscribe to the DAA principles? And what about the many companies that presently choose not to join the principles?
Stu: As in the current DAA principles, would continue to apply if consumer set DNT:1
<Marc_> If DNT:1, first party could not share or transfer data with unaffiliated third party.
<tlr> Marc_ -- that's Marc Groman speaking?
<moneill2> should GA block img tracker if DNT 1 then?
<npdoty> jmayer, I'm not claiming any detailed knowledge of DAA organization, I was just trying to note what I thought Stu had said :)
ChrisPedigoOPA: I just had a question about implementation and the DAA has a strong track record being able to reach companies and get them to implement. If W3C could finish workable spec, can you give us an idea of the timing for implementation from past experience?
Stu: It really depends on the practical reality for companies of what can be implemented. If we put aside for a second where things get narrowed on permitted uses, it would seem to me that the standard would be applied, question is how can companies recognize the signal and put out the tecnology.
<Mike_Zaneis> @jonathan Stu is saying that this approach would take voluntary W3C standards and make them mandatory for 90+% of the industry. IAB, DMA, And NAI all require adherence to these types of principle. Collectively that covers 3,000 companies representing nearly the entire industry.
Stu: If the goal is to have all the browsers adopt this as well, each of them will have to make changes too. There are product cycles, have to explore it. Goal to do it as quickly as possible.
<Wileys> I believe the immediate de-identification requirement for DNT:1 signals will take companies time to implement.
<Zakim> rigo, you wanted to ask about browser focus in 6.a and comparison to mobile web and widgets and web applications
Stu: DAA stuff is all functioning today as well, changes would take some time for some changes others might not need changes.
<jchester2> I also have to go to another call. Thanks.
Rigo: Two questions. First, heard Stu saying that there are provisions in the DAA that disallow first party circumvention of limitiations by collecting and then contracting out to do the same thing. Would be interested to hear whether he thinks that could be build into the DNT standard.
<johnsimpson> Apologies, will be going to another call at 10 PT (1 ET)
Rigo: Second, Stu is not opposed to first party clearly can offer DNT options to their customers.
<npdoty> Chapell, johnsimpson, you wrote about some limitations on first party use; do you have a sense of whether the DAA proposal about limiting those loopholes is similar to what you had in mind?
Rigo: Third, question about 6a, mobile web is bigger than the desktop web nowadays. Ads on mobile will be difficult because smaller screen real estate. So DNT has great potential here. Will 6a exclude web apps that h ave no browser, but use web stack like a browser would?
<johnsimpson> i don't know what the DAA intends
Stu: First, re DNT standard matching DAA restriction on first party, the way I think it would play out is that it wouldn't stop first party cookies unless they're used for just that purpose. Standard itself would restrict companies from sharing that data.
<npdoty> johnsimpson, absolutely, I was just curious if you'd compared to their existing code on that particular question
<sidstamm> apologies all, I have to run to a 10a PDT call
Stu: Haven't thought about how the first parties would know that. Would have to read the DNT setting, don't have a view about whether that works or how they would want to do it. Something we'd have to figure otu.
<Marc_> Peter, thank you very much. Have to run.
Stu: On first parties, it's the
same question, I don't have a sense of whether we'd view this
as first parties honoring. I haven't thought throught the
implications of that. Certainly not something we'd support in a
standard itself.
... The mobile web is a complex issue. First off, the DAA has
been in the process of developing a mobile web implementation
of the existing standards, goal to combine them so that it's
one standard regardless of technology. Release in the coming
weeks.
... What we would envision there at a high level is that the
standard would apply to mobile web and data collected across
apps over time in a similar way. The tech between app and
market and OS and what happens on browser is different, we're
in the process of commissioning an app that would serve the
same functionality. Lots of detail to sort there.
peterswire: We have a call coming up Wednesday, thanks Stu
roessler: Thanks Stu, looking forward to hearing from the stakeholders in the group more broadly in the lead up to the F2F
Call adjourned.
npdoty, thanks - saw you correcting some pieces, was falling behind scribing in some places!
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/Tenant/Tenet/ Succeeded: s/ Also enforced against non DAA members, by the BBB and DMA./ stu: Also enforced against non DAA members, by the BBB and DMA./ Found ScribeNick: hwest Found ScribeNick: hwest Inferring Scribes: hwest WARNING: No "Topic:" lines found. Default Present: Amy_Colando, +1.609.258.aaaa, JeffWilson, moneill2, +1.202.326.aabb, paulohm, +1.415.999.aacc, Fielding, +1.703.370.aadd, sidstamm, npdoty, dsinger, Yianni, Joanne, Peder_Magee, johnsimpson, rvaneijk, +1.646.827.aaff, SusanIsrael, wseltzer, BillS, prestia, [CDT], +1.415.471.aagg, jchester2, dwainberg, +1.917.846.aahh, BerinSzoka, Dan_Auerbach, +1.404.385.aaii, hwest, Chris_Pedigo, +1.202.344.aajj, Rigo, +1.202.587.aakk, WaltM_Comcast, RichardWeaver, efelten, Chapell, chris_IAB, +1.908.239.aall, WileyS, Marc, +1.202.370.aamm, robsherman, [Microsoft], hefferjr, +1.425.214.aann, kulick, adrianba, bryan, David_MacMillan, Brooks, Lee, eberkower, +49.172.147.aaoo, schunter, Jonathan_Mayer, +1.917.846.aapp, +1.425.614.aaqq, +1.202.257.aarr Present: Amy_Colando +1.609.258.aaaa JeffWilson moneill2 +1.202.326.aabb paulohm +1.415.999.aacc Fielding +1.703.370.aadd sidstamm npdoty dsinger Yianni Joanne Peder_Magee johnsimpson rvaneijk +1.646.827.aaff SusanIsrael wseltzer BillS prestia [CDT] +1.415.471.aagg jchester2 dwainberg +1.917.846.aahh BerinSzoka Dan_Auerbach +1.404.385.aaii hwest Chris_Pedigo +1.202.344.aajj Rigo +1.202.587.aakk WaltM_Comcast RichardWeaver efelten Chapell chris_IAB +1.908.239.aall WileyS Marc +1.202.370.aamm robsherman [Microsoft] hefferjr +1.425.214.aann kulick adrianba bryan David_MacMillan Brooks Lee eberkower +49.172.147.aaoo schunter Jonathan_Mayer +1.917.846.aapp +1.425.614.aaqq +1.202.257.aarr Got date from IRC log name: 29 Apr 2013 Guessing minutes URL: http://www.w3.org/2013/04/29-dnt-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]