W3C

- DRAFT -

Tracking Protection Working Group Teleconference

09 Oct 2013

See also: IRC log

Attendees

Present
+31.65.141.aaaa, rvaneijk, sidstamm, Wendy, +1.646.654.aabb, Walter, eberkower, +1.202.257.aacc, +1.202.587.aadd, mecallahan, FPFJoeN, schunter, Carl, npdoty, +1.202.347.aaee, BerinSzoka, JackHobaugh, +1.203.563.aaff, justin, gashans, +1.301.325.aagg, GShans, +44.186.558.aahh, +1.202.643.aaii, moneill2, +1.646.783.aajj, Fielding, dsinger, LynnJohnson, hwest, +1.303.224.aakk, vinay, +1.650.308.aall, robsherman, +44.142.864.aamm, Adamp, +49.431.98.aann, +1.301.325.aaoo, +1.408.836.aapp, ninja, kulick, Jeff, +31.20.420.aaqq, WileyS, +1.212.231.aarr, +1.215.480.aass, +1.323.253.aatt, WaltMichel, Amy_Colando, hefferjr, +1.415.470.aauu, [Microsoft], kj, +1.646.666.aavv, chapell, +1.510.501.aaww, LeeTien, Chris_Pedigo, +1.323.253.aaxx, Susan_Israel, +1.212.231.aayy, Ari, matt, adrianba, +1.919.388.aazz, AnnaLong, omer, Brooks, Chris_IAB, johnsimpson, +1.202.347.bbaa, BrianH, +1.619.846.bbbb, hober, +1.917.318.bbcc
Regrets
Chair
schunter, justin, cargill
Scribe
ninja, jeff

Contents


<trackbot> Date: 09 October 2013

<Walter> wseltzer: hi Wendy

<wseltzer> hi Walter

<Walter> you poached Axel, I noticed

<Walter> :-)

<Walter> Zakim: +??P14 is me

<npdoty> trackbot, start meeting

<trackbot> Meeting: Tracking Protection Working Group Teleconference

<trackbot> Date: 09 October 2013

<FPFJoeN> 202 587 is me

<FPFJoeN> zakim mute me

<eberkower> Lynn Johnson is 203

<hwest> Oops, npdoty, can you fix that?

<hwest> Thanks, wseltzer!

<sidstamm> wseltzer, does that mean zakim is tracking us? ;-)

<sidstamm> wseltzer, oh good.

<Walter> ehm, I'm on Skype

<jeff> Nick, I can scribe if noone else steps up.

<Walter> in didn't turn out too well in the past, scribing-wise

<npdoty> fielding, can you scribe the second half today?

<ninja> scribenick: ninja

<npdoty> mecallahan, can you scribe the second half of our call?

schunter: This time we have 6 issues on our radar for the call.
... Introducing changes to the editors draft.

<dsinger> agenda at http://lists.w3.org/Archives/Public/public-tracking/2013Oct/0151.html

schunter: under what conditions may changes be made. We introduce what we think are editorial changes.

<Ari> 323-253 is Ari

schunter: if there is objection on the mailing list, we will revert it.

<matt> 1.212.231.aayy is matt

<Ari> thank you

schunter: If we see clear consensus we may make these changes in addition to editorial changes.

<matt> haies from 24/7

<jeff> Ninja: From a lawyer point of view, does changing the vocabulary cause a change of meaning?

<jeff> ... so you introduce changes and wait for objection? Correct?

thanks jeff

<npdoty> I did a bunch of changes, and then sent around a bullet point summary of them

<omer> 1.415.470 is omer t

<npdoty> and I made a change for tracking definition, which we discussed on the call

schunter: If we think it's clearly editorial we just make the change. If we missed a change in meaning, we wpould like the WG members to make objection.

fielding: The "June Draft" itself was never authorized by the group. Therefore, whether or not it's editorial is irrelevant.

<dsinger> …thinks there are two issues here. (a) does the draft have good editorial quality? (b) does it reflect the consensus and state of the group?

fielding: The current draft itself was never only an editorial change.

wseltzer: We want the editor's draft to move to a status where it is reflecting what the group has reviewed and has agreed upon. That means keeping a version stable except for raised issues and changes agreed upon through the group's process.

<Chris_IAB> npdoty, I just joined via a private number

dsinger: For me the relevant question is: is it readable and does reflect our current thinking, where there is open discussion. The draft does exactly that.

schunter: The draft states that it is not consensus. Fielding, what would you like us to do?

<npdoty> there should be issue pointers now inline

<justin> And this meta-discussion is stopping us from addressing the definition of tracking later in this call.

fielding: We are working through definitions. Unfortunately, there are no direkt links to the wiki or the discussion. This may lead to harm for people trying to interpret the spec.

<npdoty> the ISSUEs in the Tracker should also all have a link to the appropriate wiki change proposal page

fielding: There was no need to introduce the not-consensus draft in the beginning.

<Zakim> jeff, you wanted to differentiate between the "starting draft" and going forward.

<justin> fielding, We said no non editorial changes were going to be made at that point. John Simpson pointed out that it wasn't editorial. We're going to pick a definition of tracking NOW. The state of the editorial draft for the next week or so is a minor issue --- it's vaporware and described as such.

jeff: we would like the WG to move forward. I believe peter swire made this decision to set a starting point for going forward.
... Some old issues may be accidentally be thrown out of the window.

<WileyS> Jeff and Nick, Does a Co-Chair have the authority to set a net new starting point for the working group? Especially when the working group had already arrived at a different starting point?

jeff: Apart from the open 45 issues we should allow ourselves to make editorial changes.

<fielding> justin, what you said was irrelevant … I can point to the minutes of when the WD was published where Matthias said this would be addressed in *this* WD

jeff: But we need some starting point and the June Draft seems a good one.

schunter: I will discuss this with the chairs and come back to the group with a proposal on how to move forward.

carlcargill: On item 4. Testing of specification.

<npdoty> WileyS, I believe Peter made this assessment of the group during a call in June

<jeff> Shane, I'm not sure I can answer your question. You ask whether Peter can decide on a starting point that the WG disagrees with. I was not in the WG at the time, so I don't know if your hypothesis is correct.

Testing

carlcargill: The compliance spec is very difficult to validate, bacause there are few "hard" test points.

<WileyS> Nick and Jeff, I was in those meetings and it was stated without an option for objection. To further the position, Peter then setup a call for Objections between the Industry and Swire/Staff/June Draft - never mentioning the existing document we already had in place.

carlcargill: The proof of the specification is the ability of the providers to implement and for the users to understand.

<Brooks> How can you have a spec that is vague and ambivalent and testable?

carlcargill: Those are the criteria: Will we be able to implement it without breaking something

<dwainberg> What does it mean for implementers to be "able" to implement?

<dwainberg> Is that able at all? Or able without going out of business?

carlcargill: User understanding and common practices also need to be taken into account.

<schunter> 4q?

dwainberg: What does being "able to implement" mean.

<Brooks> industry or company? or what percent of industry?

carlcargill: If the business dies because of the spec, we have failed because noone will implement it.

<dwainberg> And what about collateral effects on the Internet ecosystem?

<npdoty> that sounds like a test just based on adoption, rather than external or automated testing

<justin> brooks dwainberg, I think those are absolutely considerations as well.

carlcargill: What keeps a recommendation alive are the people who implement it

<dwainberg> there are 3rd party beneficiaries to third party advertising, namely publishers

<Brooks> then they must be testable

<moneill2> what if not implementing craters an industry?

dsinger: We went from testability to implementability
... The TPE spec should be able to be testable with reasonable efforts.

<JackHobaugh> Carl, can you explain what you mean by "vague and ambivalent" regarding the spec?

dsinger: On the Compliance spec: This addresses the internal data handling

<npdoty> if people are curious about scripts for aiding in Tk header testing (as mentioned by dsinger), you can see some simple code here: https://github.com/npdoty/dnt-test

dsinger: Maybe it can be only tested by regulators and enforcement authorities.

<Brooks> which regulators?

dsinger: I agree it's not directly testable.

<npdoty> dsinger, you mean *externally* testable, right?

<Walter> +1 on dsinger

carlcargill: Courts and regulations are not valid testers for a recommendation. We will not have a proof and just rely on good will and honesty.

<Walter> the recourse will vary per jurisdiction

<dwainberg> now you're talking about testing for compliance

<Walter> +q

<sidstamm> recourse for any spec non-compliance is "complain that party X is not compliant"...

<dwainberg> that's different from testing against our criteria for what we want it to do, and for limiting collateral breakage

adrianba: The compliance spec is largely about policy. When we walk through the remaining issues we need to pay attention to removing all ambiguities.

<dwainberg> sidstamm, This isn't about testing compliance. It's about testing against the criteria for what the spec should or should not accomplish.

<npdoty> dwainberg, I think Carl is also referring to testing compliance, which is why sid is responding to that

carlcargill: If we do not have valid test points, we have a nice to have spec that is not enforcable. How do we resolve this?

<johnsimpson> that's like most of the WG's discussions...

<dwainberg> Thanks, Nick. I'm handicapped not being on the phone.

carlcargill: As a chair I would like to have a conclusion on how to move forward and provide initial ideas to find "hard" and validatable testing points in the compliance spec.

<sidstamm> dwainberg, npdoty was right.

schunter: Let's take this to the list.

Walter: Not familiar with other testing of standards. But we should not worry too much about the "semi-legal" compliance spec
... it is enforcable by contract and compliance lawyers and DPAs.

<dwainberg> ok, sid; sorry to jump on you for that.

dsinger: I agree we should not ambiguous text, where the provider cannot assess whether or not he is compliant.

<npdoty> dwainberg, I think you were referring to "success criteria" for the group as a whole, which might be a useful term in distinguishing the discussions

dsinger: But to verify this yourself may be enough with regard to testability.

<dsinger> issue-10?

<trackbot> issue-10 -- What is a first party? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/10

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions

<npdoty> I believe going forward Carl is offering to manage a discussion going forward on a testing/testability strategy

Issues

justin: Status Update on Issue 10

<WileyS> 15 mins? I thought we were moving to a single issue per week - should we give them more time? Or is this just the prep and we'll focus on a single issue next week?

<dwainberg> yes, Nick, if by that we mean measuring against what we want and don't want the spec to accomplish.

justin: explaing changes and rationales.

<npdoty> WileyS, I think the chairs want to give a heads-up or a chance for discussion on issues that aren't as far along in the milestones

<fielding> referring to proposal 4

<fielding> bunnies (I included rationale in this wiki document to avoid confusion)

Lee: The thing I wanted to clarify about the multiple first party issue:
... Google search example. I click on a Wikipedia article that comes up in the search.
... I would not consider Google a first party in this example

<WileyS> Nick, it would be helpful to setup a calendar out a few months with an issue map per meeting - is this planned?

<WileyS> Click Redirection should be a separate category

robsherman: The multiple first parties as I see it is different from that

<BrianH> zakim 202 347 is BrianH

<npdoty> WileyS, I think the chairs were using the agendas for that, but a calendar plan view might be helpful /cc wseltzer

robsherman: More like an entire website provided by two parties.

<fielding> I am not speaking

robsherman: justin and I have tried to make the wording more clear on this.

justin: The original text was designed for the shared website example. We probably have to work on new text for the google example.

<npdoty> it's part of fielding's rationale and example, though I'm not sure it's actually explicit in his proposed text change

do we have a second scribe who could take over?

<FPFJoeN> sorry, can't

<justin> Well, Google would still be able to use search terms under Lee's perspective.

<jeff> Nick, doyou need me to scribe?

<npdoty> scribenick: jeff

JohnS: ED language defines "party" and discusses affiliates
... Does Roy's proposed language deal with affiliates?
... Oh, that's proposal 3; then proposal 4 is first party.

<dsinger> …thinks we need to work through the Google example. If I go to Google and search and they present results, they are the first party. I click a link on their results page, they are the first party for that click, and the destination becomes a first party once I visit it. can we detail a different example which is problematic, because this doesn't seem to be

Roy: Yes, 3 is party; 4 is 1st; and 5 is 3rd.

<npdoty> Lee: when I think about the consumer, I don't think the user expects to interact with Google when clicking on a search result, and maybe I would be outvoted/alone in that expectation

Justin: Does anyone like existing ED over Roy's reformulation?

<robsherman> To be clear, Roy isn't proposing to eliminate multiple first party language, right?

Justin: you can also register opinions on list.
... Alan's proposal has gotten discussion on list.
... Roy/ED and Alan's are quite different

<fielding> robsherman, right -- see second para of proposal 4

Justin: parties based on privacy practices and contracts.
... Alan?

Alan: Clarification; it's not that ownership and branding are insufficient
... or contractural relationships are worse

<npdoty> I don't think I have Alan's proposal on the wiki page with the other proposals; is there a crisp change proposal we should add to that?

Alan: it's either / or

<WileyS> Legal liability is the key

Alan: struggline to decide which is better

JB: Let's take it to the list.
... We'll need CfO
... Also, separately, Lee's concerns

<WileyS> 20 distributed companies can argue liability amongst them whereas a single legal entity that owns another entity cannot

<Walter> WileyS: +1

<fielding> well, the compelling reason is that regulations are applied by party (by owner/controller)

JB: Either convergence on list or CfO
... close discussion on this issue.

<npdoty> will add Alan's text http://www.w3.org/mid/CE79B7D8.3ACC4%25achapell@chapellassociates.com to the ISSUE-10 list as a separate change proposal

<Chapell> Shane, can you help me understand your point re: "legal liability" and how that applies to DNT?

MS: Issue-5 - definition of tracking
... final week

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition

<JackHobaugh> Justin, what do you see as the duration for Phase M2 on Issue-10?

MS: goal to converge on consensus opinion by next call
... lucky if successful otherwise CfO
... 5 definitions: Roy, David, Rob, @@, @@

<WileyS> Alan, the definition of a 1st party - common ownership & control are different than contractual relationships alone due to the way legal liability is handled.

MS: How can we best find out if one can be modified to result in a converged position.
... Straw poll. Objections?

<justin> jackhorbaugh, We'll spend a week discussing ISSUE-10 on the list to see if consensus emerges, otherwise we will start a Call for Objections on ISSUE-10 next week (assuming the group is continuing its work).

David: I don't understand "multiple parties" or "cross-site"
... for a single site am I tracking or not is key

<fielding> "Tracking is the act of following a particular user's browsing activity across multiple distinct contexts"

David: so I need clarification discussion

MS: What's your question?

<Chapell> WileyS, thanks for your answer. But you haven't answered the essential question --- how is "ownership" better for privacy? Isn't privacy the point of this group?

<npdoty> fielding or justin, can you refer to "multiple parties' domains or services"?

<JackHobaugh> Justin, Thanks for the clarification.

DS: Im Roy's I have "across contexts", etc.
... Is Roy saying can't relate to other domains?

Roy: No, you have a false premise.
... "you need to know as a single site if you are tracking".
... doesn't apply to compliance doc
... multiple interactions over time

<justin> npdoty, Can you elaborate? Sorry, haven't been following irc as closely as I would like.

<npdoty> via the TPE, you potentially need to give a response on every request

<Chapell> Focusing on "ownership" isn't helpful from a privacy standpoint, and encourages situations where

<WileyS> Alan, I believe you're overstating the situation and issue. of course this group is focused on consumer privacy but we also operate in the real-world where concepts of corporations/1st parties are largely legal matters and are already defined.

Roy: understand desire for a "per interaction"; but user desire is to turn off "across multiple sites"

<ninja> fielding: could you specify what qualifies as a "context"?

Roy: could be single domain (unlikely); multiple brands (more likely)
... or multiple parties (shared ownership) is up for debate

<Chapell> Focusing on "ownership" isn't helpful from a privacy standpoint, and encourages situations where large entities are incented to buy 'networks' of sites

MS: Purpose is to give language in intro setting context

<Chapell> .... http://newscorp.com/2013/08/21/news-corp-to-launch-global-programmatic-advertising-exchange/

<Walter> Chapell: isn't this what the SAME-SITE flag is about?

<WileyS> Small sites can merge into a single legal entity as well if they like

MS: so agree w Roy

<Walter> eh, SAME-PARTY

MS: later we need implementation details

<Walter> for contractual relations?

MS: rules to implement "not-tracking"

<dwainberg> Shane, contracts are also real-world concepts that are legal matters and well-defined.

<WileyS> True - but they don't represent 1st parties (the focus of this discussion)

<kulick> FWIW: cross site or affiliate relationships or affiliate sites are used in other texts that govern data collection or use

David: Disagree; channel Carl
... DNT comes in HTTP request

<dwainberg> Requiring small sites to merge into a single legal entity is unreasonable and, again, provides no privacy benefit on its own.

David: what happens in response to that request

[metaphor about shouting]

<Chapell> WileyS - in most contracts I've seen that addres ad serving, liability is pretty well defined

<WileyS> David, this doesn't require that - only if those individual legal entities would like to be represented as a single legal entity would they need to do this.

<dwainberg> I don't care whether you call it 1st party or affiliate or whatever ...

<Chapell> Walter: I'm not sure

Roy: Recipient is entity controlling 1st or 3rd party resource
... not at the level at HTTP server

<kulick> If I look directly at you and tell you to stop shouting at me then you know I am talking directly to you... that is opt-out, not DNT

<npdoty> I think fielding is saying, you know if you're *going to* combine with data from other sites

<dwainberg> It's not about being represented as a single legal entity; it's about a data protection regime across sites.

[Restatement of respective positions by David and Roy]

<WileyS> Alan, liability and indemnity are often the most argued points in contracts - so while I agree there is an infrastructure to discuss them - they are not agreed upon and often requrie case-by-case reviews by courts to determine what was "right"

<Chapell> .... and by focusing solely on ownership, we are simply creating incentives for consolidation --- an issue that this group has time and again refused to consider

David: I agree that if we can find the right multiparty defn makes it much easier
... but need to be more crisp

<WileyS> David, this is about 1st parties and how they are different than 3rd parties. I understand you and Alan represent companies that are deemed strict 3rd parties and are looking for ways to change this most basic understanding but I don't beleive your approach is reasonable.

MS: Survey of definitions.
... David doesn't want multi-party

<Chapell> ShaneW - when has Y! agreed to indemnify a smaller AdTech company (:

<justin> No.

ninja: Roy is context definition depend on party definition

<dwainberg> Shane, you still haven't explained how ownership on its own provides better privacy that can be had via contract.

<dsinger> no, I want it to be clear what it means by "multiple". It's push-back on clarity. Once I get clarity, I might not push-back on the definition...

Roy: right now independent.

<WileyS> Alan - we do all the time - depends on the specific nature of the relationship, what we are representing, and what indemnities follow.

<schunter> David: Could you propose re-wording to clarify?

<WileyS> David, that's not the question - the question is what is a 1st party.

Roy: but my concern here is limited to defn of tracking

MS: Other concerns?

<dwainberg> That's a question, but not /the/ question :)

David: It is too long.

<WileyS> David, LOL

MS: That should be our worst problem ;)

<Chapell> WileyS - your concern re: liability can be mostly addressed contractually.... can you say the same re: "ownership" vs "contract" addressing the privacy concerns I am raising?

<fielding> I'd rather be long than misleading

NPD: "Following" is not defined.

<dsinger> I could certainly research the 'tunnel vision' approach and re-phrase it in more precise/modern language

<ninja> +1 to nick

MS: Proposal 2 - no definition at all
... Concerns?

<dsinger> (2) is building castles in the air.

<vinay> do we still consider change proposals from people not within the WG?

@@: Horrible

@@@:Silly

<vinay> does anyone left within the WG still support this proposal?

<justin> We're talking primarily about a scope section now. So (2) basically means no scope section :(

<sidstamm> agree with dsinger

<WileyS> Alan, I believe I've addressed how libiliaty is "slippery" in a contractual relationship whereas in a strict corporate structure it is rigid (forced by tax law mostly)

Chris_IAB: couldn't here

MS: It seems that most don't agree on this.

<ninja> I think to support jeff in scribing we should go back to using the queue

Lee: EFF always thought that the document would define tracking

<schunter> Rob said: Not agreeing on a definition would speed things up.

<Chapell> WileyS, but you haven't address the privacy issue - which is more than just "slippery"

<justin> I think the last speaker was Walter agreeing there should be a definition of tracking.

NPD: So does EFF support option 2 (no def)

Lee: Yes

<justin> To be clear, I previously didn't see a need for a definition, but I do think we should have a scope section that identifies what we're trying to address . . .

<dwainberg> Shane, that can be addressed, and has only a tangential relationship to the privacy question.

Lee: you end up doing the entire WG effort in microcosm
... so just do the work in the doc; not at the definition.

John: If doc says what to do w DNT=1; you don't need defn of tracking

<dwainberg> Moreover, Shane, I don't think you can disclaim liability for a Section V matter :)

<BerinSzoka> Uh, are we going to have time to discuss the poll results? That seems rather important, especially given that the preferred option with the strongest support was to stop work

<WileyS> Alan - the "privacy" question is fairly broad in this context - "what is better for consumer privacy?" is a key theme in many books so its hard for me to quickly address your question here. I've instead focused on the core need here and that is what is the definition of a 1st party and I've reflected the real-world view of that that means. All of the trade associations you belong to uphold this

<WileyS> definition as well, correct?

John: but willing to explore appropriate def of tracking

MS: Could put as non-normative text

<dwainberg> Maybe you could get indemnity from someone to pay your lawyers, but you'll still need to deal with the FTC

<dsinger> "In rough terms, tracking is …"

+1 to MS

<npdoty> BerinSzoka, I'll be sure to remind the group at the end of the call that today is the day to submit poll responses.

<WileyS> "Tracking" is needed as normative

<justin> (On previous calls, there has been broad consensus that this could be put in a scope section.)

<fielding> We are talking about a user preference protocol. It is normative for TPE.

<JackHobaugh> Berin, the poll is still open for voting.

<rvaneijk> I agree with matthias on just setting the stage

Walter: Not sure that we should go for long on this for now.

<WileyS> How can you have a "Do Not Track" working group and not define "Track"???

<Chapell> WileyS - if you need more time to adress the "privacy" question, then I invite you to take a few days and respond on list.

MS: OK, we'll do CfO

<Brooks> Do something with it - like write a spec around it?

<johnsimpson> On the poll: Are all WG members meant to respond or should only one per on from each entity?

MS: Comments on other proposals

<Chapell> WileyS - but to be clear, it doesn't seem like you have an answer at this time.

Walter?: Like Roy's last proposal best

<WileyS> Alan, I believe I've answered well enough. Please refer to the trade associations you and the companies you represent for their definition of 1st party for further clarification.

MS: So, proposal 5

<npdoty> I'm a +1 for Proposal 5, it seems to satisfy a lot of people

Walter?: If we can address DS concerns, we are pretty close

<dsinger> I agree we are close

scribe: could get consensus

MS: Anyone not like defn 5

<johnsimpson> I don't like multiple domains

<npdoty> any objections to Proposal 5?

<schunter> Tracking is the collection of data across multiple parties' domains or services and retention of that data in a form that remains attributable to a specific user, user agent, or device.

<npdoty> 5: "Tracking is the collection of data across multiple parties' domains or services and retention of that data in a form that remains attributable to a specific user, user agent, or device."

MS: [MS reads defn 5]

<justin> I think Proposal 5 is based on what I wrote up based on our discussions in Cambridge (Roy has fixed the grammar).

David: In proposal 3, I also try to make clear when "tracking" starts

<fielding> Note that proposal 5 does refer to the specific definition of party.

David: (after receipt and response to HTTP request)
... although prop 3 has other problems
... prop 5 lacks this temporal nature

<Chapell> ShaneW - i don't believe that the practice of the W3C is to simply take all the definitions of the industry trade associations. If it were, this WG would likely have completed its work already

David: but we can work this out.

<fielding> temporal is addressed by definition of retain?

<npdoty> fielding, would you accept a "retain after a network interaction" for Proposal 5?

<fielding> npdoty, no, see definition of retain

<dsinger> could be that retain defines the temporal; we need to check

<johnsimpson> What about proposal FOUR??????

MS: So I will propose prop 5, ask for proposed improvements until we have something good enough

All: Sounds good

MS: Close issue-5 for today's agendum

<Chapell> WileyS - but to be clear, you have been unable to articulate an answer for why ownership is better for privacy

MS: Issues 24, 25
... Initial CPs have arrived
... need to converge

<WileyS> Alan, I understand why you're attempting to alter the playing field in this venue but I don't believe you'll be successful trying to bend the established rules by trying to play this against broad, overly subjective questions of "what is best for consumer privacy?" as there are pros/cons in either direction in that context.

MS: Carl can review the CPs.

Carl: I need more than 5 minutes

<ninja> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security

Carl: I'm a standards person

<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security

<Chapell> WileyS.... and those pros/cons are....?

Carl: Issue 24: security defn; graduated response; normative and non-normative
... Chris malicious, nefarious, and disengenuous
... CP
... Discussion
... 2nd proposal from John

<WileyS> Alan, established definitions, legal liability structures, consumer expectations

<scribe> ... new text for 5 3 3

UNKNOWN_SPEAKER: final proposal from Lee

<Chapell> WileyS - I'm not here to alter the playing field, I'm simply asking a very reasonable question. IF we're going to have a discxussion about the playing field, I'll point to the number of places where this standard has significant anti-competitive implications

UNKNOWN_SPEAKER: replacing 5.3 and removing 2.1.1 and 5.3.3.1
... 4 proposals right now
... Roy's initial doc was questioned by Chris; John rewrote it; and Lee proposed new text

<Chapell> WileyS - Due respect, none of those resonses are responsive...

<Chris_IAB> I'm ok with Roy's proposal

UNKNOWN_SPEAKER: ? - any agreement?

<fielding> has anyone proposed to keep the current text? if not, that means 3 proposals ;-)

<WileyS> Alan - With due respect, they are - not sure what you're trying to get at here.

<justin> Thanks, Chris_IAB!

UNKNOWN_SPEAKER: Please look through proposals and try to converge

<Chapell> WileyS - estabilished definitions -- just because a definition was used in one context doesn't necessarily mean that it should be used in all contexts

UNKNOWN_SPEAKER: Do primaries have comments?

Chris: I'm OK w Roy - he provided an amendment to original text

<WileyS> Alan - In "all" contexts to date. Self-regulatory, COPPA, CALOPPA. Please stop this.

Chris: remove friction

<npdoty> any others who want to maintain Chris's text, or should we just continue with Roy/John?

<fielding> proposal 2

<WileyS> I need to see this before I can sign-off - link?

John: Where is Roy's text in wiki?

Roy: Proposal 2 in wiki

<vinay> i believe John edited/tweaked John's language

<fielding> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#Proposal_.282.29:_Add_retention_for_prosecution.2C_but_exclude_from_operational_use

<eberkower> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security

John: I think that is Roy and me.

Roy: +1

<Chapell> WileyS - "consumer expectations" --- does a network consisting of WashingPost and Amazon meet consumer expectations? Does a network composed of NewCorp companies meet consumer expectations as a single entity?

John: Me too

Carl: 3 out of 4 agree. Lee, what about you?

<justin> Is anyone uncomfortable with 2? Graduated response is not explicitly called out FWIW.

ChrisIAB: Give me a minute.

Roy: John did not change my text; just pulled in the discussion with Chris.

Lee: I can't look at it at the moment.

Carl: We will assume closure

<WileyS> Not closed - 2 weeks to consider

<justin> WileyS, closed for the call :)

Walter: Don't see disagreement on substance
... can improve exposition

<WileyS> Justin, okay :-)

<schunter> I agree with Shane: It may be a candidate for being closed (to be validated by email).

Walter: hence no preference

@@: Perhaps no substantive difference.

<justin> (I agree, there hasn't been a lot of real substantive disagreement on this issue for some time!)

@@Lee: John/Roy's text looks fine.

scribe: Lee what did you add?

Lee: I need to get to my computer

<justin> We have a week to develop the consensus on the list.

MS: Let's take apparent consensus text; send to the list; see if there are objections.

<WileyS> Alan, If Amazon intends to share data between the organizations and they appropriately give notice of this within the Washington Post and Amazon Privacy Policies, then yes.

<justin> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Audience_Measurement

Carl: Apparent consensus on John/Roy/Chris; Lee to look at other people to comment

<dsinger> "provided that such data is not used for operational behavior (profiling or personalization)"

<justin> https://www.w3.org/2011/tracking-protection/track/issues/25

David: unnecessary phrase above.

<johnsimpson> Question on the poll: Are all WG members expected to respond? Or just one person per entity they represent?

<Walter> dsinger: I think for all texts there, there is room for improvement in the brevity department

CC: David, put in email.

MS: Issue-25

Justin: Not a lot of discussion

<npdoty> johnsimpson, every participant is invited to respond

Justin: only change proposals from Mike O'Neill and Lee saying "no"
... also need for extra opt out
... fundamental disagreement will not be solved in 5 minutes
... Rob Sherman had two suggestions
... Editorial change resolved on list
... Remove last phrase (independent certification process)
... Rob/CathyJoe - agreement? Non-normative

<npdoty> kj, are you comfortable with Rob's suggestion?

CJ: Agree to non-normative

JB: Great

Walter: ... permitted use and non-normative; confusing
... prefer different state than permitted use

<npdoty> I think it wouldn't be the whole permitted use as non-normative, just the section about an approving authority

Walter: might be incompatible w data protection framework

<Chris_IAB> am I the only one having a hard time hearing/understanding Walter (audio quality)?

Walter: but least objectionable form of tracking

JB: Similar to Mike's comment
... will update wiki
... also Rigo's comment
... so "no new dedicated permitted use"

Walter: Permitted use should be those that are acceptable
... this might not be acceptable
... discuss off-call
... how to understand non-normative permitted use

Justin: There would be some normative reqts
... non-normative is "subject to independent cert"

<npdoty> robsherman, kj, was that a correct description of the non-normative proposal?

Justin: will continue discussion on list

<npdoty> ... the wiki is a little ambiguous

<johnsimpson> Right, it should not be a permitted use

<Chris_IAB> Justin, are those people who object on today's call?

MS: Two new issues
... 170 and 16
... start discussing and submit CPs
... we need final list of CPs
... start look for merging

<fielding> ninja, regarding definition of context in my tracking proposal, see http://lists.w3.org/Archives/Public/public-tracking/2013Jun/0454.html

<npdoty> Chris_IAB, Lee is on the call, and johnsimpson responded in IRC (regarding not wanting a permitted use)

<robsherman> npdoty - yes, the proposal is not to make the entire permitted use non-normative but to make the trade association auditing requirement non-normative; essentially a recommendation that companies making use of that permitted use may consider that framework but it wouldn't be a normative requirement to fall within the permitted use

MS: 170: limitations on data append by first parties

<justin> Chris_IAB, yes, moneill2, walter, johnsimpson, lee, rvaneijk (possibly?)

MS: 16: collect, retain, share data; definition?

<Chris_IAB> npdoty, thanks-- would have been good to hear what specifically they were objecting to, but I guess we'll discuss next week, yes?

MS: please provide CPs and merge w other CPs

<ninja> fielding, thanks

MS: compromise
... let's move fast

<npdoty> +1 robsherman, thank you -- you and kj and I should make sure the wiki is clear

<Chris_IAB> what are 170 and 16?

MS: Next week will review CPs
... 2 weeks will finalize CPs

<npdoty> 170 is data append/first party; 16 is collect/retain/use/share

<dsinger> issue-170?

<trackbot> issue-170 -- Definition of and what/whether limitations around data append and first parties -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/170

Chris: Summarize 170 and 16

<dsinger> issue-16?

<trackbot> issue-16 -- What does it mean to collect, retain, use and share data? -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/16

MS: 170: Limitations on data append for first parties

<kulick> ISSUE-170: Definition of and what/whether limitations around data append and first parties

<trackbot> Notes added to ISSUE-170 Definition of and what/whether limitations around data append and first parties.

<trackbot> Sorry, dsinger, I don't understand 'trackbot is your friend!'. Please refer to <http://www.w3.org/2005/06/tracker/irc> for help.

MS: 16: Collect, maintain, use, and share data - defn.
... Topic: Introduction of new issues.

<kulick> ISSUE-16: What does it mean to collect, retain, use and share data?

<trackbot> Notes added to ISSUE-16 What does it mean to collect, retain, use and share data?.

MS: we will trunk (?) away 1 by 1.

<ninja> reminder for the poll deadline today

<scribe> ... completed agenda!

Carl: Poll closes today.
... Please consider voting.

<npdoty> poll link: https://www.w3.org/2002/09/wbs/49311/tpwg-poll/

chris_iab: What does a non-vote mean?

CC/MS: Various answers

<kulick> What does it mean when someone votes as "Yes, and Prefer" for two or more items?

<schunter> We said that you can only say "Yes, and prefer" for a single item.

<dsinger> I would urge them to make some sort of communication (ideally, vote; send email to the group; talk to the staff/chairs…)

scribe: perhaps chairs and staff should reach out to non-voters

<kulick> but not everyone has followed that

<npdoty> +1, we should try to reach out to people who don't submit input via this poll

JS: Is voting by entity or by WG participant?

<schunter> In case of multiple "and prefer"'s, I would count all as "yes"

<dsinger> It's a poll. we're trying to determine what's viable and preferred

<fielding> it is not a vote -- it is a poll of participants, which means individuals

<rvaneijk> npdoty, yes, but if must not make the decision process intransparent...

<WileyS> Unduly influence - yet you've each voted already. :-)

<justin> There are currently two different responses from NAI in the poll. FWIW.

<Walter> there is a general issue of WG-members non-participation

<npdoty> WileyS, we're participants too!

<npdoty> people can change their submissions, fyi

<wseltzer> It's not a "vote". everyone in the WG can speak

Shane, I was voting as an individual in the WG; not to influence others

Shane, I can't encourage others to vote - and not vote myself.

<WileyS> Jeff - I hope you see how that may not be interpreted that way externally

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2013/10/09 17:34:17 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/upon./upon. That means keeping a version stable except for raised issues and changes agreed upon through the group's process./
Succeeded: s/fielding:/robsherman:/
Succeeded: s/@@/ninja/
Succeeded: s/@@/Walter/
Succeeded: s/Lee/ChrisIAB/
Succeeded: s/@@/Lee/
Succeeded: s/@@@@/Chris_IAB/
Succeeded: s/@@/data protection/
Succeeded: s/@@/append/
Succeeded: s/@@/chris_iab/
Succeeded: s/votes/responses/
Found ScribeNick: ninja
Found ScribeNick: jeff
Inferring Scribes: ninja, jeff
Scribes: ninja, jeff
ScribeNicks: ninja, jeff
Default Present: +31.65.141.aaaa, rvaneijk, sidstamm, Wendy, +1.646.654.aabb, Walter, eberkower, +1.202.257.aacc, +1.202.587.aadd, mecallahan, FPFJoeN, schunter, Carl, npdoty, +1.202.347.aaee, BerinSzoka, JackHobaugh, +1.203.563.aaff, justin, gashans, +1.301.325.aagg, GShans, +44.186.558.aahh, +1.202.643.aaii, moneill2, +1.646.783.aajj, Fielding, dsinger, LynnJohnson, hwest, +1.303.224.aakk, vinay, +1.650.308.aall, robsherman, +44.142.864.aamm, Adamp, +49.431.98.aann, +1.301.325.aaoo, +1.408.836.aapp, ninja, kulick, Jeff, +31.20.420.aaqq, WileyS, +1.212.231.aarr, +1.215.480.aass, +1.323.253.aatt, WaltMichel, Amy_Colando, hefferjr, +1.415.470.aauu, [Microsoft], kj, +1.646.666.aavv, chapell, +1.510.501.aaww, LeeTien, Chris_Pedigo, +1.323.253.aaxx, Susan_Israel, +1.212.231.aayy, Ari, matt, adrianba, +1.919.388.aazz, AnnaLong, omer, Brooks, Chris_IAB, johnsimpson, +1.202.347.bbaa, BrianH, +1.619.846.bbbb, hober, +1.917.318.bbcc
Present: +31.65.141.aaaa rvaneijk sidstamm Wendy +1.646.654.aabb Walter eberkower +1.202.257.aacc +1.202.587.aadd mecallahan FPFJoeN schunter Carl npdoty +1.202.347.aaee BerinSzoka JackHobaugh +1.203.563.aaff justin gashans +1.301.325.aagg GShans +44.186.558.aahh +1.202.643.aaii moneill2 +1.646.783.aajj Fielding dsinger LynnJohnson hwest +1.303.224.aakk vinay +1.650.308.aall robsherman +44.142.864.aamm Adamp +49.431.98.aann +1.301.325.aaoo +1.408.836.aapp ninja kulick Jeff +31.20.420.aaqq WileyS +1.212.231.aarr +1.215.480.aass +1.323.253.aatt WaltMichel Amy_Colando hefferjr +1.415.470.aauu [Microsoft] kj +1.646.666.aavv chapell +1.510.501.aaww LeeTien Chris_Pedigo +1.323.253.aaxx Susan_Israel +1.212.231.aayy Ari matt adrianba +1.919.388.aazz AnnaLong omer Brooks Chris_IAB johnsimpson +1.202.347.bbaa BrianH +1.619.846.bbbb hober +1.917.318.bbcc
Found Date: 09 Oct 2013
Guessing minutes URL: http://www.w3.org/2013/10/09-dnt-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]