Tracking Protection Working Group Teleconference

25 Jun 2014

See also: IRC log


walter, moneill2, Ninja, WaltMichel, Jack_Hobaugh, Carl_Cargill, npdoty, Chris_Pedigo, +1.650.362.aaaa, +1.310.292.aabb, RichardWeaver, +1.646.654.aacc, WileyS, johnsimpson, eberkower, Max_Turn, MECallahan, vinay, justin, Brooks, kulick, Peder_Magee, dsinger, SusanIsrael, Chapell, Fielding, [IBM], Amy_Colando, [FTC]
sidstamm, schunter


<trackbot> Date: 25 June 2014

chair+ Carl_Cargill

<eberkower> Thank you, Nick

<johnsimpson> thanks for talking to Zakim for me....

<johnsimpson> ii am not in good position do that, sorry

<scribe> scribenick: ninja

topic Last Call feedback

Last Call feedback

justin: We received feedback from 24 commenters
... team started to sort these and will have a call with editors tomorrow to discuss them.
... Looking for input to tackle the technical once and then bring them all to the group.
... Could take one or two more weeks.

<npdoty> the public list is archived, if you've been wanting to review them: http://lists.w3.org/Archives/Public/public-tracking-comments/2014Jun/thread.html

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context

justin: Would like to make some progress on text proposals for TCS meanwhile.

Context Separation

<WileyS> Due date for responses?

justin: Hope I updated Walter's proposal in a way that everybody is happy. Last minute friendly amendments.

<WileyS> I ask as many people will be out on vacation next week in the US so we should move any deadlines to be after next week.

<WileyS> Could we please move that out one week?

justin: Answering Shane's comment: The open CfO on Issue 170 runs until next week.

<WileyS> Also question if we should hold a meeting next week - perhaps a straw poll.

<WileyS> +q

justin: Regarding the new CfO two weeks seems like sufficient time. But will discuss with other chairs.

WileyS: Next week many colleagues will take the whole week off.

<Chapell> chapell out next week

<vinay> I'm off next week as well

<johnsimpson> I think July 2 is deadline for current call for objection.

WileyS: If we have most of the WG unavailable it could make sense to skip the WG call. And push the CfO deadline.

<Brooks> may well be out

justin: Nothing against it. Will take it back to the Chairs to decide. But seems reasonable.

<kulick> i'm out

<kulick> np

justin: Strawpoll on who is missing the call next week.

<johnsimpson> not sure if can make next week, not clear uet.

<dsinger> I will be out the week after the 4th (MPEG meeting)

<WileyS> Up to 8 people either out or possibly out

justin: Back to context separation...

<npdoty> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_in_Third_Party_Context

<Chris_M> Sorry to be late, I just joined the call

justin: I think I managed to combine all friendly amendments into one text proposals (Walter, Alan, Mike)
... Alan, are you ok with this?

<Chapell> the updated language makes things clearer

justin: Seeing none angry on the queue

<moneill2> <justin>, thats fine

<johnsimpson> agree the updated language does what I want

justin: Mike did a third revision including unique identifiers. I would rather keep this separate in data minimization.
... Mike, are you ok with that?

Moneill2: Agreed.

<npdoty> nick and ninja will set up a Call for Objections on issue-219 to go out today

fielding: I would prefer if the part about “first party” would be less ambiguous

<walter> or in a a first party quality

<npdoty> I'm assuming editorial fixes (like, we typically use language like "third party to a given user action")

fielding, Could you type that. I was too slow?

<walter> if that isn

<Chapell> Can you post the updated text with Roy's proposal?

<walter> 't proper English, apologies

<justin> the third party MUST NOT use data gathered in another context about the user, including when that party was a first party.

<justin> the third party MUST NOT use data gathered in another context about the user, including data collected as a first party.

justin: typed the text suggested by fielding.

<fielding> yes, first one I think

<moneill2> looks fine to me

<npdoty> +1 to "that party was a first party"

<Chapell> first one seems clearer

justin: Agree with Nick that this is an editorial issue.
... thanks for drawing attention to that.

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization

justin: Close the discussion on this now.

Data Minimization

<fielding> oh, and that should be collected instead of gathered, since we have only defined collected

<npdoty> from mike: http://lists.w3.org/Archives/Public/public-tracking/2014Jun/0075.html

justin: Mike sent an email on 5:31 regarding unique identifiers.

<npdoty> I've changed gathered to collected on the wiki, which I believe is editorial (+1 to fielding's comment)

Moneill2: Broke it into two bits unique identifiers outside of permitted uses and storage in the browsers.

<dsinger> editorial: “the users explicit consent” -> “the user’s explicit consent"

justin: could be less controversial than I thought. So you don't want to prohibit unique identifiers for permitted uses.

<Brooks> isn't this more of limitation or what is permitted by permitted uses?

<Brooks> or qualification rather

<WileyS> +q

<dsinger> limited to the extent needed is already a general requirement on permitted uses

<Chris_M> the mode of tracking should be irrelevant for the DNT spec

Moneill2: The part about storage in the browser is intended to limit the use to the duration necessary for permitted uses.

<Chris_M> tracking can be used for a variety of permitted uses: security, site-user state maintenance (shopping cart, etc.)...

<npdoty> walter: Mike's proposal would be explanatory language to add to the editor's draft

walter: I would support Mike's Proposal but might be too technical. Maybe Pending Review.

WileyS: Think Mike's proposal is too broad. Would like to draw in de-identification.

<Chris_M> not sure why we need talk about "device fingerprinting" in this spec?

<moneill2> +q

<walter> eh, points

WileyS: If you have no need for permitted use or timeframe has expired we need to take up de-identification.

<Zakim> npdoty, you wanted to ask if this is just an example of data minimization

justin: Valid point. Could also be valid under HiPAA standards.

<npdoty> "After there are no remaining permitted uses for given data, the data MUST be deleted or deidentified. "

<justin> fielding, thank you --- replaced gathered with collected

npdoty: The general requirement for permitted uses is data MuST not be stored longer than necessary.

justin: Mike' what do you think about Shane's point?

Moneill2: Even pseudonymous data is identifiable as it is linked to a specific device.

<npdoty> regarding the text, would Mike be supportive of using this as an Example rather than additional requirements?

Moneill2: Privacy friendly opt-out cookies don't include a user ID

justin: I think there is a distinction between pseudonymous data and de-identified data.

<npdoty> current definition on deidentified is present here: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#deidentified

Moneill2: If you collect a unique bit pattern this cannot be de-identified. Can of worms.

<npdoty> (we have an issue on that, but something like those requirements would make that definition)

justin: Suggest more high-level language. Ask Mike to take a look at section ? and see whether he wants additional text.

<WileyS> Opinion noted - lets move to CfO

<npdoty> for what it's worth, moneill2, it looks like Dan Auerbach's proposal was to be a general requirement to apply to all permitted uses, which would have been in this section of general requirements / minimization

walter: De-identification as anonymization is much much harder than we think it is.

<WileyS> Most Working Group members support the concept of de-identification. I would always argue companies shouldn't release de-identified data publically - to remove the NYC Taxi scenario

<walter> ninja: also, it should not be part of the conversation on minimal use in the context of permitted uses

<walter> ninja: it is put in as a get-out-of-jail-free card

justin: We have a separate issue on de-identification. So let's keep it apart.

<justin> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_link_shorteners_and_ID_providers

Link shorteners/ID providers

justin: Ninja included some old text proposals on ID providers.

<walter> WileyS: what I argue is that the NYC taxi scenario was data that people thought was deidentified while it wasn't

justin: This is about the FB connect use case

<walter> justin: I thought I'd have more than one week for that proposal, sorry for that misunderstanding

justin: Two proposals from Ian Fette and Rob van Eijk.
... Not sure if anyone wants to continue the discussion on this.

<dsinger> I don’t see anything about link shorteners here

justin: Walter did you want to suggest text on link shorteners? Maybe you could manage this week?
... The sooner we get ideas for the group the better.

<walter> WileyS: basically data is only properly deidentified when you're comfortable publishing it, and probably not even then

<dsinger> I think we need a discussion document on identity providers. So, I logon to a newspaper site using my FB ID. Is FB a first party now?

<WileyS> Walter: we can agree to disagree

<WileyS> Collect and use - perhaps not share

<justin> ninja: I went through the old discussion threads on this. Shane seemed to agree that ID providers can anyway get permission to track despite being third-parties.

<walter> dsinger: am I an heretic for thinking that FB may be one during the login procedure?

<fielding> Can we separate the two? ID providers really has nothing to do with link shorteners. There should also be an issue about third party referral trackers.

<WileyS> OpenID requires direct user authentication with agreement to both terms and PP - so this will trump anything this group says

<dsinger> how can the identity provider NOT know that you are trying to logon to the newspaper?

<walter> fielding: agree, they are very different from link shorteners

justin: Yes, they could ask for permission.

<dsinger> I would like to split link shorteners and identity providers, yes

justin: fielding's request to separate is fair.

<dsinger> agree with Roy on the third also

justin: we grouped them as a number of edge cases. But there may be no text to merge them into one case.

<npdoty> they share a wiki page, but already have two different issues in the tracker

<dsinger> can we have a refresh/discussion piece on identity providers?

justin: Under Ian's proposal if you log on to NYT via Facebook, FB would be a first party.

<WileyS> +1 to David!

<WileyS> Duh

<Chris_M> that's right dsinger

justin: Under Rob's proposal FB would only authenticate and stay a third party

<npdoty> dsinger, there are proposals (like Persona/BrowserID) to enable signing on without telling the authorizer where you're signing in

dsinger: Don't understand the use-case. How can FB not know I log onto NYT.

<dsinger> thx Nick, that should be in the discussion piece. I (we?) need education and a refresh

<WileyS> If the Like button is on those pages, then yes

<Chris_M> maybe the question is: is FB a 1P or 3P in the case where their authentication tool was used

justin: If I authenticate via FB do they need to know every page I read?

<WileyS> Please read their privacy policy - if you are logged into Facebook then they recognize you against your registered persona on that page

justin: Does not work well with FB example

<WileyS> To turn this off, you simply log out of FB

<WileyS> DNT does not trump authentication

<Chris_M> what happens with the "keep me logged in" option in the FB authentication?

<dsinger> I think this is distinct from rules around the ‘like’ button. They are not linked; the question of whether the ‘like’ button can track me even if I am logged in should be separate

justin: That is how Twitter reacts to DNT currently via their widgets

<WileyS> A user has logged-in: they agree to Terms and a PP in doing so.

<npdoty> I suspect that none in the group would argue that when you authenticate with a party, you're engaged in a first-party interaction with them. the question just seems to be whether an authenticated session cookie to additional interactions should make those interactions first-party

justin: This is not meant as DNT trumps authentication or consent based on terms of service.

<moneill2> authentication is usually done via 1st partry cooki, not 3sr p elements on apages

dsinger: Whether the like button can track you is a different question.

<WileyS> Their Privacy Policy states they recognize you when you see the Like button on other sites. As you've choosen to login into Facebook, then you as the user understand this trumpts DNT

<moneill2> do not need fb like button for authentication to work

dsinger: ID providers need to know what you want to log on to.

justin: Agreed. Let us keep the separate.

<WileyS> Agreed - OpenID and OpenAuth don't require a page level widget

<Chapell> that begs the question, is there a state where FB is NOT a first party under this spec?

justin: Further work on the text proposals is necessary.

<npdoty> I think maybe we're getting into separate conversations about whether Terms of Service from other sites would count as express consent to override DNT.

<walter> WileyS: which won't fly in most civilised jurisdictions

<WileyS> If you're not logged-in, then FB is not a 1st party

<walter> (that was about the like button)

<walter> WileyS: even if you're logged in FB would be a 3rd party in my book

justin: To Alan's question: Rob's text proposal makes them a third party

<WileyS> Walter - the user has agreed to a different premise

justin: Question the terms of service and user information is sufficient for consent.

<walter> WileyS: no, the user hasn't. Under EU consumer law the user could not reasonably foresee this consequence and that line in FB's terms & conditions would be null and void

<Brooks> why does my login status on a different window impact my status with a like button when I go to a page which I don't know until after the fact has a like button?

justin: I will reach out to Rob to review his old proposal.

<vincent> WileyS, agree with walter, at most they have on OOBC (which should be revokable) but they still a third party

<WileyS> Walter, the Irish DPA disagrees with you :-)

justin: If folks are interested in pursuing this, please do so.

<walter> ninja: Rob is unavailable this week due to family circumstances

<walter> WileyS: the Irish DPA tends to consistently get trashed in the CJEU

<npdoty> +1 to Brooks on that point, although again I don't think that's the current issue :)

<walter> WileyS: it is the most useless DPA around

Use of "tracking" in compliance

<WileyS> Walter: we'll again agree to disagree

wiki: https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

<fielding> I was mostly offline last week

wiki: Authors have not have a chance to review these old proposals yet.
... Let's take this offline hopefully won't be too controversial.
... AoB?

<npdoty> dsinger has done some work to merge those two proposals, which we can take to the mailing list

<johnsimpson> thanks, bye

wiki: thanks everybody. Adjourned.

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-06-25 16:53:00 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/gatehered/gathered/
Succeeded: s/we/with/
Found ScribeNick: ninja
Inferring Scribes: ninja
Default Present: walter, moneill2, Ninja, WaltMichel, Jack_Hobaugh, Carl_Cargill, npdoty, Chris_Pedigo, +1.650.362.aaaa, +1.310.292.aabb, RichardWeaver, +1.646.654.aacc, WileyS, johnsimpson, eberkower, Max_Turn, MECallahan, vinay, justin, Brooks, kulick, Peder_Magee, dsinger, SusanIsrael, Chapell, Fielding, [IBM], Amy_Colando, [FTC]
Present: walter moneill2 Ninja WaltMichel Jack_Hobaugh Carl_Cargill npdoty Chris_Pedigo +1.650.362.aaaa +1.310.292.aabb RichardWeaver +1.646.654.aacc WileyS johnsimpson eberkower Max_Turn MECallahan vinay justin Brooks kulick Peder_Magee dsinger SusanIsrael Chapell Fielding [IBM] Amy_Colando [FTC]
Regrets: sidstamm schunter
Found Date: 25 Jun 2014
Guessing minutes URL: http://www.w3.org/2014/06/25-dnt-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]