Tracking Protection Working Group Teleconference -- 02 Oct 2013

<trackbot> Date: 02 October 2013

<FPFJoeN> 202 is FPFJoeN

<FPFJoeN> Zakim please mute me

<jchester2> Hello to my EU friends.

<schunter> Do we have volunteers for scribing?

<moneill2> jchester2, hi jeff

<jchester2> Welcome to our new CDT colleague.

<Ari> sorry

<Ari> 650.595 is ari

<AdamP> AdamP is aaqq

<susanisrael> +1.917.934.aapp is susanisrael

<Walter> +31.20 is an Amsterdam number

<npdoty> volunteers to scribe for first or second half?

<eberkower> no sorry

<eberkower> i am not on a

<eberkower> regular

<ninjamarnau> sure

<eberkower> computer

<npdoty> scribenick: ninjamarnau

<npdoty> JackHobaugh, could you scribe the second half to help out ninjamarnau?

schunter: No comments on agenda

<wseltzer> Agenda

<JackHobaugh> npdoty: I am not a good typist

Our perspective on how to shape change proposals

<npdoty> scribenick: npdoty

schunter: goal is to come up with a small number of good change proposals

<ninjamarnau> .... Overview on change proposals. To come up with a number of high-quality change proposals.

<scribe> scribenick: ninjamarnau

UNKNOWN_SPEAKER: We would like to reduce and merge change proposals, so that we find consensus easier.
... Reduce it to 2 or 3 really different and high quality proposals. You can also withdraw old proposals that are not valid anymore.
... I like to get rid of change proposals with very few supporters.
... That's my perspective. Over to Carl.

Carl: My background is I come from technical standards. Encouragement to work together to find consensus proposals.

dwainberg: What's the difference between raised and open issues?
... is there a need to reopen issues that have been raised?

schunter: raised means it was not yet tackled by the group.
... before the final call we should address all raised issues.
... I may formally open all issues that are currently raised but not open.

<JackHobaugh> Is there a deadline for "attaching"?

<npdoty> +1, we haven't been making that distinction, but we should Open issues once we're working through them

<fielding> http://www.w3.org/2011/tracking-protection/track/products/5

<Chris_IAB> just joined the call... sorry to be late

schunter: We have 8 newly raisede issues. Want to go quickly through them.

<justin> dwainberg, do you want to speak to these even though chapell isn't here?

<npdoty> Alan sent regrets for today, I believe.

<Vinay> Alan is speaking at IAPP right now

<justin> We'll get into this a bit more with the discussion of parties later on the call!

schunter: 217 on network interaction

<npdoty> issue-217?

<trackbot> issue-217 -- Terminology for user action, interaction, and network interaction -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/217

fielding: network interaction is currently described as one or more requests.
... also user interaction is used, the difference is not clear.

<laurengelman> I am 627

<Walter> I am with fielding here

<laurengelman> thx nick

fielding: On issue 218 - data out of scope
... We need to move it further to the beginning of the document and also a more clear definition

schunter: Moving it up is editorial

<npdoty> schunter suggests that part of issue-218 may be editorial, just moving noting out of scope to be earlier in the document

<npdoty> issue-219?

<trackbot> issue-219 -- 3rd parties that are 1st parties must not use data across these contexts -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/219

Walter: Issue 219 on context
... the change of party context might lead to profiles of users including 1st party and 3rd party browsing history

<jchester2> We support such a proposal.

schunter: propose a close relationship with the issue on siloing of data

<schunter> http://www.w3.org/2011/tracking-protection/track/products/5

<Chris_IAB> npdoty, I am dialed from 650 but it's a private #

Jack: Deadline on raising new issues?

schunter: today. I will sent a link to the complete list.

<npdoty> 219 is related to 170 (data append), yes? we've been talking about the use

<susanisrael> I thought the deadline was extended to October 16, I am confused.

<npdoty> I apologize if I used "open" when I meant "raised or opened"

<Walter> npdoty: yes, it is related to 170 but since it is also about 3rd party compliance, it is not the same

<fielding> npdoty, data append is usually 3rd party data used in a 1st party context, IIRC, whereas issue 219 is about 1st party data used in a 3rd party context

schunter: the list includes all issues raised by yesterday evening. Only the latest from today may not be included. Issues raised/attached to the old specs are now against the June draft.

<schunter> q hef

<npdoty> http://www.w3.org/2011/tracking-protection/track/products/5

<JackHobaugh> I also do not recall receiving the link to the attached list.

<npdoty> those are still issues we would address, but not our focus for this milestone

<Walter> fielding: correct, I think they should be considered as related nonetheless

<fielding> Walter, all issues are related ;-)

<Walter> fielding: yes, it is all very Zen and all that as well :-)

schunter: What is not attached to the current compliance spec is not on our radar.

susanisrael: There is a lot of confusion about the deadlines. I suggest to extend it to Friday.

schunter: Going to discuss this with the other chairs

<fielding> on the contrary, that means we don't need to mention proportionality at all because it has nothing to do with DNT preference.

Walter: On Issue 220 on proportionality. As an overarching principle for all permitted uses.

<npdoty> Walter, to fielding's point, if DNT isn't being sent, then our document doesn't need to describe how to respond to it, right?

<jchester2> +q

dwainber: On issue 121 - Recommendation to rather rely on contexts than on the party definition.

<Walter> npdoty: I'd be in favour of a DNT-compliant party indicating it's DNT-compliance regardless of the occurence of a DNT-signal

<npdoty> I thought we were talking about data collected in particular contexts in the spec already, but if not, I think it would be great to see change proposals to clear that up

<Walter> eh, its, obviously

<susanisrael> I don't think this change is merely editorial

dwainber: I sent a simple table to the mailing list to explain this for a few examples.

<justin> This is *not* editorial . . .

<npdoty> or perhaps we've been relying on "first party to a network interaction"?

<susanisrael> +1 to justin

<fielding> It is not editorial, but I strongly agree with dwainberg

schunter: is this more editorial?

dwainberg: probably not.

<npdoty> for example, "In the context of a specific network interaction, the first party is ...."

<Walter> I think dwainberg's line of thinking merits further discussion of it

<susanisrael> I do not think that is what the proposed change means, Jchester2

jchester: dwainberg is proposing a major change. To step away from the 1st party 3rd party distinction.

<jchester2> Susan: I think that's what David means.

<justin> I think Dwainberg may be proposing limits on how first parties can use data as third parties, not over how first parties can collect/use data as first parties.

schunter: 2 questions - how to phrase it and second, what rules are attached.

<jchester2> Can David clarify what he means, please.

<johnsimpson> how do you determine the context?

<rvaneijk> Can anyone please post a link to the matrix dwainberg was talking about?

<Walter> rvaneijk: http://www.w3.org/2011/tracking-protection/track/issues/221

<rvaneijk> tnx

<Walter> it is a bit mutilated in my browser though

<Walter> probably need to use a fixed font

dwainberg: use limitations are based on contexts not on parties.

<jchester2> That's not what I understand, Mattias. I think Davis is proposing differemt first party rules.

<fielding> It makes it clearer because a given party changes their role (first or third or even SP) on any given request, but the data collected has to be constrained by the role in which it was collected (not by some nature of the party that collected it)

<rvaneijk> talking about contexts raises interesting questions about audience measurement...

<rvaneijk> the logical conclusion for audience measurement collection in a 3rd / 3rd context would be: do not collect

john: I try to understand the proposal. Does it mean to throw data from 1st party and 3rd party together?

<rvaneijk> So, from a process point of view, it is important to discuss issue 221 before deciding on a permitted use for audience measurement

dwainberg: Not proposing detailed rules. I would like to change the concept from parties to context.

<npdoty> justin has mentioned that we would discuss this further when talking about parties

schunter: I propose dwainberg writes down what he wants to do first.

dwainberg: On ISSUE-222: Personalization or customizing of content should be allowed under certain collection/use limitations

http://www.w3.org/2011/tracking-protection/track/issues/222

<JackHobaugh> Issues 223 through 225 have been submitted during this meeting.

<justin> rvaneijk, audience measurement is designed entirely at third parties who will only be collecting data in a third-party context. Not sure ISSUE-221 is related, but perhaps I'm missing something.

scribe: Personalization could be done in an innovative privacy-preserving ways, aggregating, bucketing

<rvaneijk> justin, if we emprase the new paradigm that david just proposed, then audience measurement needs to be looked at through that new lense.

scribe: by using e.g. low entropy cookies

<justin> I'm not sure dwainberg's matrix changes how third parties can collect/use third party data. Context is the standard one that we've been discussing for years.

<susanisrael> Justin, I think I agree with you but it merits further review and discussion.

was this Rob or Walter?

<schunter> I agree. But D Wainbergs language is a clearer way to express the thing formerly called "1st party" "3rd party"

<rvaneijk> that was Walter.

<justin> susanisrael, Sure, I'll bring this up when we discuss audience measurement at the end. If I forget, remind me!

<schunter> (we used this implicitly constraining party while in fact we actually describe constraints on the data collected in this context)

Walter: We should make sure that personalization only uses non personal data. (Relation to de-identification)

<schunter> (there exists no PURE 3rd party since most of them have a homepage, too).

dwainberg: On ISSUE-223: Define criteria now for the test/implementation phase of the compliance spec

<susanisrael> sure. I need to give it some thought separately, though, since it was just raised this morning.

dwainberg: Give companies that want to implement DNT some guidance on what to expect.

npdoty: This is very valuable. Maybe not necessarily before the Last Call deadline.

<fielding> http://www.w3.org/2011/tracking-protection/track/issues/223

<npdoty> I agree, a very useful discussion, even before CR/Call for Implementations, I just don't think it's a Last Call issue for this document

schunter: we should test how exactly the text of the spec can be tested.

<Brooks> hard to measure maybe, but isn't a requirement?

dwainberg: More than this, want to include user experience feedback

schunter: Too hard to put it into criteria.

dwainberg: Maybe we can put this on the agenda for the next calls.

carl: difficult but needs to be done.

adrianba: We should talk about criteria.

<npdoty> scribenick: npdoty

ninjamarnau: if we want to have a discussion on how to comply, we should talk about the criteria, whether we want to measure compliance or impact on user experience or economic impact
... David suggested that we put it on the agenda again, would ask he clarify what field [economic, ux?] he would want those testing criteria

<JackHobaugh> Is it a "technical spec" or is it a "compliance spec"?

carlcargill: because it's a technical spec, criteria are whether it can be implemented; economic impacts are going to be addressed by the market

<susanisrael> However, the compliance spec is not entirely a technical spec?

<justin> We should take this to the list and dedicate call time to it in the near future

<JackHobaugh> Isn't the TPE the "technical spec"?

carlcargill: implementation with unintended consequences, of whatever type

<ninjamarnau> npdoty, I could take over again

<Walter> JackHobaugh: I thought so as well

<scribe> scribenick: ninjamarnau

http://www.w3.org/2011/tracking-protection/track/issues/224

<Brooks> agree with Jack. We need to be much more careful calling the compliance spec a technical spec

brysn: on issue 224

<johnsimpson> Is the compliance document a "technical" spec?

brysn: clarify the criteria to verify the user preference
... it is related to issue 205

<npdoty> as you might imagine, people use terms like "technical" and "policy" in multiple ways

<justin> Suffice to say this is an open issue before the group that will be discussed in detail!

<fielding> It is related to 205 because the current text in the document directly contradicts what Bryan wants in 224 -- this is not clarification

<npdoty> bryan, is this a distinct issue from 205? or just another change proposal on the same issue?

schunter: Want to discuss 4 issues per week to close at least one per week.
... Issue 10 and Issue 5 already discussed. We need now to finalize the change proposals
... and next week to discuss these final change proposals

jack: Question on language of "draft proposal" and "final change proposal"
... are there different deadlines?

schunter: By October 9th we freeze the change proposals on the listed issues. Then there is one week to "finalize" them by working on the "draft" proposals
... then one more week to discuss and find consensus. All in all it is a two week procedure.

<susanisrael> Some time after the call, I think it would be helpful, if possible, to circulate to the mailing list a revised list of deadlines, because nuances appear that seem to change them each time we discuss them.

+1 to susanisrael

<justin> We've been discussing process for an hour. We need to move on to substance.

schunter: The chairs will decide on consensus by call for objection if there is more than one change proposal with substantiated support.

<npdoty> we have used hums, +1/-1, mailing list requests for any objections for the chairs to assess if there is a consensus

<fielding> Some of these change proposals should be impacted by issue-221, particularly issue-5 and issue-10; we should consider adding alternative phrasing that aligns with issue-221 for those proposals which might be more acceptable with that phrasing. I was already trying to do that with my proposals.

jack: The criteria for consensus should be clarified.

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions

Issue 10

justin: On issue 10 http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions and http://www.w3.org/2011/tracking-protection/track/issues/10
... going through the proposals

<npdoty> I think Amy and Chris were just asking that "list of affiliates" be an example, rather than a hard requirement

<fielding> I would prefer that such additions be made in the sections on first and third party requirements.

justin: 2 things up for discussion - 1. requirement of easily discoverable affilates (privacy policy, well known resource etc.) 2. what defines "one party"

<npdoty> does someone have a pointer to Alan C's language on this? I'm not quickly finding the email

dwainberg: Common privacy regime would be a good way to meet user expectations
... common ownership is less relevant if there is not one common privacy regime.

<npdoty> is the point about transparency to the user? or just that the parties use the same privacy policy?

<susanisrael> npdoty, i agree that that question is relevant

<npdoty> there would commonly be no third-parties in the context of an interaction if a publisher has a particular branding?

dwainberg: even if different ownership companies agree contractually to the same privacy regime, it should be treated as one party.

<Walter> +1 on susanisrael's question

susanisrael: doubt that this is (legally) possible
... and would possible contradict the user's expectations
... it is less stable than ownership

dwainberg: common ownership is also not stable. And even with common ownership the user might not be aware of affiliates

susanisrael: this is why we are talking about discoverability

<jchester2> Justin: Have we agreed that easily discoverability is based on privacy policies? because research shows no one uses or understands them.

rigo: David should look into the "same party" status
... justin: we talked about multiple first parties last week
... I encourage roy to rephrase to address multiple first parties and not only a shared site by (2) first parties

<fielding> I think many people would agree that same-ownership without same-policy is borderline unworkable as a same-context in terms of user expectations. Hence, my proposed definition of tracking. However, I'd be surprised if the same people would allow same-policy (without same-ownership) to mean that the recipient can share with other same-policy parties.

schunter: on issue 5 on definition of tracking

<justin> jchester2, I think that is what I heard last week. But if you want to revisit requiring common branding, you can submit a change proposal! I think the group had moved off it, but I want to consider all proposals (if you don't think WKR in privacy policy doesn't work).

<Walter> fielding: I agree on that, yes

schunter: would like to drop some of them

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition

Issue 5

schunter: quick straw poll

<JackHobaugh> I am not prepared to vote on the 5 proposals for Issue-5 on such short notice. I need time to analyze each.

<schunter> np

fielding: it's correct that I proposed two different texts

<dwainberg> Chapell's change proposal: http://lists.w3.org/Archives/Public/public-tracking/2013Oct/0018.html

fielding: would like to hear the specific objections to the specific proposals

<dwainberg> Tracking is the act of following a particular user's browsing activity across multiple distinct contexts, via the collection or retention of data that can associate a given request to a particular user, user agent, or device, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. For the purposes of this definition, a context is a set of resources that EITHER: a) share the same owner, da

<dwainberg> ta controller and a common branding, such that a user would expect that data supplied to one of the resources is available to all of the others within the same context, OR b) enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user."

fielding: not limiting peoples options to chose from

<Walter> schunter: I think it is better to keep this ISSUE

<Walter> eh, issue

<Chris_IAB> +1 to Roy's point

fielding: tracking definition is crucial. The sites want to comply with the user's wishes. THe tracking definition defines the scop for the whole document. We should not limit our options here.

<kulick> +1 to Roy's comments

<npdoty> I think it's safe to say that grammatical corrections can be consolidated into a single proposal :)

schunter: See your point. We should start by improving the change proposals and see if one gains strong support
... Would it be possible to drop proposal 6 from Roy?

<eberkower> Can we drop 6 AND 2?

schunter: Will send a email on Proposal 5 and 6 from Roy.

<fielding> Today, the language is (6) Tracking is understood by this recommendation as the collection and retention of data across multiple parties' domains or services in such a form that it can be associated with a specific user, user agent, or device.

john: What about the text in the current spec?

<jchester2> I agree with John. We need further clairification here.

<fielding> johnsimpson, right, that was changed after the diff

npdoty: Rob's proposal No. 4 includes the same concept as the April draft.

<fielding> it wasn't oversight -- it was requested by me, many times, on the list.

<justin> We are *trying* to define tracking. That is the point of this exercise. The short-term editors' draft is not relevant. FOCUS ON SUBSTANCE.

<justin> FOCUS.

schunter: If you would like to have a definition of tracking that is not currently in the wiki, please raise it
... otherwise it's off-radar

<npdoty> johnsimpson, apologies about the flux on editors' draft. I agree with justin that the change proposals on the wiki are most important for the group decision.

Issues 24 and 25

<justin> I will discuss ISSUE-25 on the mailing list (as I would have on this call).

<npdoty> to be clear, both already have change proposals, but if there are more to add

<justin> Technically, we're moving 4 along . . .

<kj> If 221 is impacting Issue 25, it will be very difficult to have all change proposals submitted by the 9 Oct deadline

<JackHobaugh> What does come hell or high water mean?

<wseltzer> JackHobaugh: 2 issues a week

<justin> ISSUE-221 shouldn't matter for audience measurement.

- DRAFT -

Tracking Protection Working Group Teleconference

02 Oct 2013

Attendees

Contents

Our perspective on how to shape change proposals

Issue 10

Issue 5

Issues 24 and 25

Summary of Action Items

Scribe.perl diagnostic output