W3C

- DRAFT -

Tracking Protection Working Group Teleconference

12 Jun 2013

See also: IRC log

Attendees

Present
Regrets
rigo, wseltzer, tlr, dsinger
Chair
schunter, peterswire
Scribe
Yianni, fielding

Contents


<trackbot> Date: 12 June 2013

<Chris_IAB> npdoty, good morning-- did you see my email just now?

<Chris_IAB> npdoty, got your reply just now-- thanks!

<Chris_IAB> npdoty, that's the one. slow server on my side -- thanks :)

<moneill2> zakim. [IPCaller] is me

<Chris_IAB> I just joined from a private number

<Chris_IAB> npdoty, I just joined from a private/blocked number

<eberkower> I'm over here, Zakim

<Chris_IAB> someone in Germany put us on hold?

<dwainberg> I didn't hear any of what Peter was saying.

<dwainberg> Just that he asked if I was on the call.

<npdoty> scribenick: Yianni

<schunter> http://www.w3.org/2011/tracking-protection/track/actions/overdue

matthias: posting in overdue actions
... Rigo is first
... David
... Chris Pedigo

<aleecia> hi

matthias: Aleecia
... Shane

<npdoty> aleecia, did you have an update on your action?

matthias: Rob Sherman
... Thomas
... Richard Weaver

<aleecia> It sounded like dsinger took this one up, perhaps several times, already.

Peter: Richard needs another week on audience measurement

<aleecia> Looks like we can close it as duplicate

<fielding> I completed my two actions and moved them to pending review

Matthias: Susan Isreal

<npdoty> I think some of the action items on audience measurement have already been postponed again by a week

Peter: same project as Richard

Matthias: Justin action 401 he sent

<scribe> ...pending review

Justin: sent on a difference action. Action 401 is difference
... reluctant to make changes to compliance spec, confused on what he should be working on right now with June draft

Matthias: take a look at compliance related actions

<justin> Probably flux.

<Chris_IAB> I submitted action 407 today

Peter: correct to say compliance actions are in flux

Matthias: want a quick status review of some of the issues
... pushback on issue 192 from Rob

<scribe> ...closed issue 192, but created issue 201 for Rob's concern

UNKNOWN_SPEAKER: we are down to 12 or so open issues
... quickly discuss incoming actions

<schunter> http://www.w3.org/2011/tracking-protection/track/issues/200

UNKNOWN_SPEAKER: one issue I would like to look at is issue 200
... want to make sure that something is going on

<WileyS> +q

UNKNOWN_SPEAKER: Rigo and Shane wanted to propose text
... Is Shane or Rigo on the call?

Peter: big W3C meeting in Japan

Shane: we have provided draft text in conversation. we need to wrap together
... the remaining issue on caching is part of a group conversation
... we're a server cannot speak to the server directly. Can I turn that into draft text

Matthias: we converged on language, if we have user granted exception, website can cach and send to other servers, if you receive new information the cach has to be refreshed and passed on

Shane: only thing that is not needed is sharing
... in exchange scenario, individual servers in situations we're you cannot speak to user agent directly, you would rely on last known state
... the next time you interact with user agent directly, you would update that state
... more effort to manage state in those scenarios, but believe you should offer those options

Matthias: behind some layers of other servers

Shane: way exchange servers work, exchange has direct communcation with user agent and is speaking with those participating in a bid server to server, not speaking directly to user agent
... they may have been granted an exception, but since they cannot speak to user agent directly, they cannot receive 0

<jmayer> +q

<efelten> If you're not speaking to the UA, how do you know which user it is?

Shane: on next interaction with user, they must update the status

Matthias: web wide exception, you know you have a user granted exception from say yesterday

Shane: all of this is done through cookie id mapping, exception from user ABC, so I will treat them as if I have an exception
... it is because of the disconnect, inability to talk to UA that they need concept of caching

Nick: thanks for the explanation. Issue tracking question, 201 for tracking of caching or is it for the interaction between UGE and out of band

<jmayer> I think we should have a new ISSUE and move on. There are some engineering solutions here, but no reason to take up the call with them.

Nick: question of granting web wide exception and my interaction is passed on through an ad exchange, can you get to scenario where user cannot revoke an exception?

Shane: it would be a very narrow use case, the only way server would never interact with UA if they only did business through exchanges, one or two players in the marketplace
... there are a lot of business motiviation to have direct interaction with user

<npdoty> issue-200 for transitive exceptions and server-to-server communication; issue-201 for interaction between uge and oobc

Shane: the first time you win a bid, you are able to serve content, at that time you are touching user agent and can update
... cannot think of a scenario of never having a direct interaction with user agent again
... do not think it is a realistic scenario

<npdoty> wileys, understand it might be rare for third parties get into a long-term scenario where they don't interact directly, it would just provide an incentive for getting an exception and not directly interacting with the user

Shane: I could see from a per technical perspective, but cannot see from a business perspective
... first you need to get the exception, start with getting user granted exception, then cach, then move into a pure server to server position
... could create non-normative language to say if that was your intent, it would be inappropriate

<aleecia> jonathan?

<aleecia> we hear no one

<WileyS> Jonathan - we cannot hear you

Matthias: jonathan you were on Q for caching user granted exceptions

<WileyS> +q

Jonathan: understand use case, there are serious problems with stall dnt signals or misuse, and we can come up with something that works

<npdoty> part of the intent of web-wide exceptions has been the situation of getting an exception directly from the user (in a first-party scenario), and then applying it to a third party scenario

Shane: Nick create an action to propose text, more than happy of adding prescriptive details, or add text to use caching to hide from seeing dnt signals
... we can provide true technical details in non-normative text

Jonathan: first explore if there is a way to do this where we have no problems technically, straightforward engineering problem

<npdoty> can we have two actions then? Shane to propose as he sees it; and Jonathan on a possible cache-invalidation approach

Shane: Jonathan, why don't we split into two tracks, I do not how to predict a UGE when you do not know if that server is participating. I will move forward with draft text, understanding you will disagree

Matthias: took a while to understand precisely the scenario, then we may be able to find a technical solution

<npdoty> ACTION: wiley to provide text on caching exceptions in cases of server-to-server communication (detail on the use case, in particular) [recorded in http://www.w3.org/2013/06/12-dnt-minutes.html#action01]

<trackbot> Created ACTION-421 - Provide text on caching exceptions in cases of server-to-server communication (detail on the use case, in particular) [on Shane Wiley - due 2013-06-19].

Nick: can you give an action to Shane

Matthias: do scenario use case first, then come forward with the solution

<npdoty> jmayer, do you want an action item for a cache invalidation proposal? or just respond to Shane on mailing list?

Matthias: next item on my list
... Justin issue 153 text
... Justin could you summarize the text

<schunter> http://www.w3.org/2011/tracking-protection/track/issues/153

<npdoty> http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0061.html

Justin: basic idea, if you are in a position where you cannot determine in real time and you use the P signal

<npdoty> (this is not related to issue 153)

Justin: add a caveat, you cannot rejection signal because it is a user agent you do not like

<jmayer> +q

Justin: you have to reject a user agent in real time

Matthias: text sounds reasonable, suggest putting it in spec and giving a final review in the spec

<schunter> http://www.w3.org/2011/tracking-protection/track/issues/195

Matthias: actually issue 195

Jonathan: make sure that the option of not having option flag preserved
... i am of the view that if you are not sure if you do not have an exception, act as if you do not have an exception

<npdoty> "act as if you don't have an exception, and work to clarify that"

Jonathan: could iterate on the text, but some members of the group think it should not be in the document at all

Matthias: I think we can reach consensus, the P signal does not relieve compliance at all. Sending P does not do anything to tracking
... all it does is give more time to give answer, instead of giving answer in one sec, you can now spend an hour

Jonathan: back to the point of misunderstanding, a free 48 hour pass that has not been clearly motivated with a use case
... I would like to have a real understanding of the use case
... we can iterate on the text, but lets not assume this is going into the document, clearly not consensus

<rvaneijk> the P flag is solving a problem for audience measurement, but frankly, the audience measurement parties should innovate IMHO.

Matthias: lets continue discussion on the list

<schunter> http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0065.html

Matthias: the last piece of discussion I have is issue 153

<npdoty> jmayer, I think we've gathered some text on the use case from Ronan; if there is a lot of pushback on that, we should develop alternative text, or, if the alternative text is just silence, we might need to go through the call for objections process

Matthias: basically, proposed text with link
... want feedback on text

<npdoty> Alan's latest: http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0065.html

<Chris_IAB> I support Alan's text

<jmayer> +q

Nick: thanks Alan for providing this, I prefer the text earlier in this version
... must be some confusion with comply with rest of this document, determining user preference section is the key thing we want them to comply with. is it reasonable to focus on that then the rest of the TPE

Alan: I altered language from comments from Matthias, my perspective is that you have to otherwise comply with document anyway, not sure it is neccesary

<npdoty> +1 that compliance requires complying :)

Matthias: my mind, point was that if somehow mess with a user agent, it is your responsible that your extention satisfies the spec.
... need to make sure pieces in browser do not break
... one example, the browser has a user granted exception api, and plug in does not have it

<moneill2> +q

Matthias: basically, not all plug in have to do exception API if they reliably pass information on and browser can implement as specified

Alan: question for Nick as early drafter of some of this language, we made reference to another document. I thought we were talking about technical spec and not corresponding section in compliance document

<peterswire> +q

Nick: can respond directly, we wrote this text when there was not a seperate user agent compliance section in compliance spec
... my point was about, if you are modifying the preference you should satisfy the preference section

<jmayer> +q

Alan: I do not have super strong feeling, how does requiring complaince with document generally creating an issue?

<Chris_IAB> German lady is back

Nick: poiting out an ambiguity, even if you are not a server, you have to implement a server

Alan: Matthias do you have any response

Matthias: does it make sense for Nick to reword

<npdoty> I'm certainly willing to try, though I do think it'll be as Alan has described

Alan: tailor to particular part of the document we are talking about. I can certainly do that

<aleecia> :)

Nick: sounds great to have Alan do

<aleecia> x-ref is good

<npdoty> it's certainly reasonable to reference the Compliance spec, yes!

<jmayer> So, to clarify... we're reserving a decision on whether non-browser UAs have to support the exception API etc.

Peter: I think it is relevant, I think there is some W3C work to make sure we are doing the right things to intercept the complaince and tpe specs

<Chris_IAB> schunter, you have a q on this issue

Peter: i think W3C needs to get clear on what is going where

<schunter> I just realised ;-)

Alan: just making the call for consistency, so fine by me

Jonathan: I think I wound up in the same place as Alan, we will figure out exactly what requirements are imposed on non-browser UAs

Alan: discussion was tailored to should we be referecning particular section in complaince document, and should we be refering section 3 or the complace TPE

Matthias: not about non-browser UAs, it is about intermediaries between browser UA and user
... non-browser UAs are not part of the discussion

Jonathan: plug in would be a non-browser UA

<peterswire> From June Draft: The specification applies to compliance with requests through user agents that (1) can

<peterswire> access the general browsable Web; (2) have a user interface that satisfies the

<peterswire> requirements in Determining User Preference in the [TRACKING-DNT] specification; (3)

<peterswire> and can implement all of the [TRACKING-DNT] specification, including the mechanisms

<peterswire> for communicating a tracking status, and the user-granted exception mechanism.

Matthias: Mike is next

<aleecia> wheee

<Chris_IAB> Mike, which requirement is that?

Mike: the user agents must have default of unset, I do not think we should have must because of circumstances in Europe

<npdoty> in general, we have always accepted that legal requirements could trump our decisions

<Chris_IAB> lost Alan

Alan: my feeling on this is that we have been clear for a while that defaul needs to be unset. but one could see a scenario where certain jurisdictions - lost Alan

<johnsimpson> we keep losing Alan

<johnsimpson> ok now

Alan: (lost for about 30 seconds) may determine that unset means something different than unset in the US
... it is possible for the EU to interprete unset differently than other jurisdictions

<npdoty> moneill2, to Alan's point, is it more likely that the EU would make requirements about the interpretation of unset, rather than requiring the sending of DNT:1?

<rvaneijk> I am fine with 'unset'

<Chris_IAB> this is why we need a jurisdictional approach to compliance

Matthias: we agreed to this basic language, could only send preference with express preference from user

<npdoty> is Alan's text meant to add to or replace the existing text that says "must have a default tracking preference of unset"?

Mike: Is this new text, must be set unset is difficult

<npdoty> "A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent."

<efelten> Where is this new text supposed to go?

<npdoty> moneill2, the above sentence is quite old

<jmayer> +q

Matthias: otherwise the requirements for a plug in would be different than a user agent
... we will engineer the text a bit more on the list
... Alan to scope down to specific sections

<jmayer> -q

Compliance

Matthias: I would like to hand this over to Peter
... someone to scribe for second half?

<npdoty> Marc_, can you scribe?

<npdoty> efelten, can you scribe?

<fielding> I will

<npdoty> scribenick: fielding

<efelten> Sorry, I'm walking around. Can't scribe.

<jmayer> I'm not sure why the requirements on extensions should be the same as the requirements for a browser. We should discuss on the list.

peter: talk about June draft, but first a couple things about databases

… in last week, incredible media coverage about building databases (NSA)

<npdoty> ... concern from a former federal prosecutor that interest in ad-related databases may grow

<Chris_IAB> peterswire, with all respect, I question if your offering this analysis is appropriate?

… this whole area could be the subject of intense government interest in the days forward

<npdoty> ... as in the location example, law enforcement, a couple of individuals learn about the use of a technology, and then spread through training / education in that community

peter: how we got to the June draft

<npdoty> ... currently a national and international conversation, society-wide discussion

<jmayer> +q

peter: we are on a tight deadline, there are a lot of interdependencies between the two drafts. In order to make progress, I have been working with W3C staff to come up with a new summary draft that is a clean text close to discussion at F2F

<npdoty> june draft link: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-june.html

… effort in the June text is to have a shorter, cleaner, easier to read overall document that selects the options that have more overall support from the group

<npdoty> peter's email: http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0031.html

… erred a little bit on getting this out to you as quickly as possible

<jmayer> Would add that DNI Clapper's strange definition of "collection" has received substantial public criticism. And yet, it's precisely the notion of "collection" that some participants have frequently advanced in this group.

… the goal is to have an overall package for review to see if this is within the ballpark of what the WG can live with

… it hasn't been clear what the group's understanding on timing of compliance … when the group expects that compliance will take effect

aleecia: there was a discussion of a testing flag … when companies assert compliance they will send something other than the test flag

… dsinger raised the issue that we might need something along the lines of versioning to indicate which version of DNT they are testing/complying to

<jmayer> +q

peter: has there been any sense that there is an expected timeline for companies to comply?

aleecia: no, companies have a choice to comply and can adopt the compliance in a timeline accordingly

<jmayer> Once again cut off by group leadership. Joy.

<aleecia> (if there's anyone who disagrees with the model that companies assert compliance when they are ready, I'd be curious to hear why; I think this one is pretty straight-forward)

<WileyS> Aleecia, agree with you.

<WileyS> Thomas, Rob V. and I have more detailed draft text on de-identification - will post soon.

peter: third topic is deidentification and three-state process red/yellow/green

… that process surfaced more issues about transition between states

<WileyS> Would suggest we use DAA de-identification language as the base - not FTC

… in light of those discussions, june draft returns to language close to the FTC language where you are one side of de-id line or the other

<WileyS> +1 to Rob - not sure why this wasn't reflected either

<rvaneijk> Definition choice is very cirical, suggestion to follow daa de-identification language must be dicsussed on the list first.

… also under part 3, there were retention limits on data … after consulting with tlr, june draft did not include those

<WileyS> Rob - agreed - we should put both up for discussion (FTC and DAA) - they're close so a hybrid should be possible.

<justin> rvaneijk, wileys, It's just the chair's proposal. There are lots of other proposals that aren't included. It's an effort to pick from among all the various options in the current editors' draft (and others).

<Chris_IAB> +1 to rvaneijk comment above

… language of UIDs was added to june draft as well

<Chris_IAB> peterswire, where is this coming from?

<Chris_IAB> peterswire, are you saying that you feel the June draft is not sufficient? I'm confused-- need clarification

… june draft contains data minimization language from the draft framework with new language on not relying on UIDs if alternatives are available

<jmayer> +q

<WileyS> Peter - this appears to miss everyones conversation in Sunnyvale (unique IDs)

<Chris_IAB> did we reference the FTC de-id language in the June draft?

<WileyS> Chris, Peter did - not "we"

… there are certain places where folks on the consumer privacy side have not got what they asked for, and places where industry has not got what they asked for

<jmayer> -q

… for example, Vinay asked on the list about "only" in the service provider text, we welcome more such input on the mailing list

… there may be other areas where the drafting group did not find text that matched where the WG views seemed to have some form of consensus, so looking for more text along those lines

… next Wed will be a much more organized review, issue by issue

<jmayer> +q

Peter: that's a mouthful, now ready to open q

<aleecia> jonathan, partly breaking up; hard to hear

<npdoty> jmayer, I can't hear you

jmayer: I am uncomfortable with the process of work here. This is the third unilateral document that has been brought to the WG [broken up]

<aleecia> losing you again

<Brooks> still can't hear

<Brooks> now audible

<justin> I am uncomfortable with the complaining about discomfort. The group has tried and failed for 2+ years to generate consensus. This was a good faith effort to identify a potential path toward consensus. I appreciate the chairs and W3C staff iterating to try to drive this forward.

… the first was a discussion framework, then an end of meeting summary, and those docs were pitched as having no decision impact

<Chris_IAB> can't hear

<npdoty> I think jmayer's three documents are: draft framework, post-meeting consensus action summary, June draft

<aleecia> silence

<WileyS> Hard to follow - is the conversation broken up for everyone else?

<johnsimpson> can't hear

<Joanne> yes Shane. can't hear him

… subsequently, both documents have been used as a description of the WG's work rather than proposals

<npdoty> ... not a political body, but a technical body, should work in a more transparent way, get back to that

… I am not willing to work this way. This is not a political process where behind the scenes negotiation determines what is in the document. This is supposed to be a public process where input is in the working group forums.

<aleecia> +1

johnsimpson: [scribe missed]

<npdoty> johnsimpson: concern about lack of non-normative text

<npdoty> ... need text to explain what the normative text means, and as in the de-identified discussion, lack of non-normative agreement can sometimes paper over gaps / lack of agreement

<johnsimpson> I expressed my concern about the lack of non-normative text. You need use cases and explanation of what text means...

<aleecia> uh.

peter: I understand that folks have concern, but this is an attempt by the chair and the W3C staff to find a path of convergence

<jmayer> Justin, if we don't have consensus, so be it. But that's no excuse for short-cutting the transparent processes.

<rvaneijk> sudden end of the meeting...

<WileyS> Guess the call is now over. :-)

<jmayer> That was abrupt.

<aleecia> wow, ok

<rvaneijk> strange process..

<Chapell> wait - what happened?

<Chris_IAB> Wiley, lol

<justin> jmayer, I don't see how putting forward a proposal isn't a transparent process.

<aleecia> do we have a process forward?

<npdoty> ... continue on mailing list and on call next wednesday

<rvaneijk> no,

<WileyS> Have a great day everyone. L8R

<peterswire> there were no more comments on the list, and that's why we ended

<aleecia> is there a time in which comments are due, and if so at what level?

<johnsimpson> there was nobody in sparkers queue so call was ended

john, can you place your comment in IRC?

<Chris_IAB> justin, I think jmayer's concern is that it's the only proposal getting to move forward...

<Chapell> I was under the impression that we might open up to more specific questions about the proposal(?)

<johnsimpson> roy it's there. Nick put it in too

<Chris_IAB> Chapell, you would be wrong

thanks

<Chapell> perhaps that's for next week?

<jmayer> Exactly, Chris. We agree!

<johnsimpson> thanks for scribing Roy

Summary of Action Items

[NEW] ACTION: wiley to provide text on caching exceptions in cases of server-to-server communication (detail on the use case, in particular) [recorded in http://www.w3.org/2013/06/12-dnt-minutes.html#action01]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013-06-12 17:16:34 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/their/they're/
Succeeded: s/uncomfrotable/uncomfortable/
Found ScribeNick: Yianni
Found ScribeNick: fielding
Inferring Scribes: Yianni, fielding
Scribes: Yianni, fielding
ScribeNicks: Yianni, fielding

WARNING: No "Present: ... " found!
Possibly Present: Alan Ari BillScannell Brooks Chapell ChrisPedigoOPA Chris_IAB David_MacMillan JC Joanne Jonathan Justin Marc_ Mike Nick Peter Polonetsky Richard_comScore Shane WaltMichel WileyS Yianni adrianba aerber aleecia cOlsen dnt dwainberg eberkower efelten fielding hefferjr hwest jackhobaugh jmayer johnsimpson joined kj kj_ kulick left matthias mecallahan moneill2 npdoty paulohm peter-4As peterswire phildpearce rvaneijk schunter scribenick trackbot vinay vincent
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Regrets: rigo wseltzer tlr dsinger
Found Date: 12 Jun 2013
Guessing minutes URL: http://www.w3.org/2013/06/12-dnt-minutes.html
People with action items: wiley

[End of scribe.perl diagnostic output]