15:59:51 <RRSAgent> RRSAgent has joined #dnt
15:59:51 <RRSAgent> logging to http://www.w3.org/2014/10/08-dnt-irc
15:59:53 <trackbot> RRSAgent, make logs world
15:59:55 <trackbot> Zakim, this will be TRACK
15:59:55 <Zakim> ok, trackbot, I see T&S_Track(dnt)12:00PM already started
15:59:56 <trackbot> Meeting: Tracking Protection Working Group Teleconference
15:59:56 <trackbot> Date: 08 October 2014
15:59:56 <npdoty> chair: justin
16:00:00 <npdoty> regrets+ schunter
16:00:10 <sidstamm> sidstamm has joined #dnt
16:00:19 <Zakim> +Carl_Cargill
16:00:20 <jeff> jeff has joined #dnt
16:00:28 <ChrisPedigoDCN> ChrisPedigoDCN has joined #dnt
16:00:30 <Zakim> +[Mozilla]
16:00:39 <Zakim> +[IPcaller]
16:00:43 <Zakim> +npdoty
16:00:47 <sidstamm> Zakim, Mozilla has me
16:00:47 <Zakim> +sidstamm; got it
16:00:50 <Carl_Cargill> Carl_Cargill has joined #dnt
16:00:51 <moneill2> zakim, [IPCaller] is me
16:00:51 <Zakim> +moneill2; got it
16:00:54 <Zakim> +hefferjr
16:00:56 <npdoty> Zakim, who is making noise?
16:01:01 <npdoty> Zakim, who is on the phone?
16:01:01 <Zakim> On the phone I see [Apple], Fielding, Carl_Cargill, [Mozilla], moneill2, npdoty, hefferjr
16:01:03 <Zakim> [Apple] has dsinger
16:01:03 <Zakim> [Mozilla] has sidstamm
16:01:07 <Zakim> npdoty, listening for 10 seconds I heard sound from the following: 7 (55%), Carl_Cargill (4%), [Apple] (74%)
16:01:08 <Zakim> +[FTC]
16:01:40 <Zakim> +Jeff
16:01:41 <WileyS> WileyS has joined #dnt
16:01:56 <justin_> justin_ has joined #dnt
16:02:37 <Zakim> + +1.202.558.aaaa
16:02:41 <justin_> zakim, who is on the phone?
16:02:41 <Zakim> On the phone I see [Apple], Fielding, Carl_Cargill, [Mozilla], moneill2, npdoty, hefferjr, [FTC], Jeff, +1.202.558.aaaa
16:02:44 <Zakim> [Apple] has dsinger
16:02:44 <Zakim> [Mozilla] has sidstamm
16:02:44 <justin_> zakim, aaaa is me
16:02:46 <Zakim> +justin_; got it
16:03:02 <Zakim> +WileyS
16:03:15 <npdoty> scribenick: npdoty
16:03:41 <npdoty> justin: see where we are on closing out Last Call TPE comments, and talk about few remaining TCS issues
16:03:45 <npdoty> Topic: TPE
16:03:58 <Zakim> +ChrisPedigoOPA
16:03:59 <npdoty> fielding, any outstanding issues?
16:04:13 <npdoty> fielding: JSON as ABNF issue. I don't have a proposal, but it'll be editorial
16:04:26 <npdoty> dsinger, can you walk us through your status?
16:04:36 <npdoty> dsinger: sending to public-tracking list
16:05:09 <fielding> http://www.w3.org/2011/tracking-protection/track/products/6
16:05:12 <npdoty> issue-243?
16:05:12 <trackbot> issue-243 -- origin/browsing context terminology -- raised
16:05:12 <trackbot> http://www.w3.org/2011/tracking-protection/track/issues/243
16:05:20 <npdoty> dsinger: tightening up terminology
16:05:39 <npdoty> ... "effective script origin", for example
16:05:42 <Zakim> +Wendy
16:05:43 <npdoty> ... align with existing documentation
16:05:47 <npdoty> issue-255?
16:05:47 <trackbot> issue-255 -- comments on doNotTrack property -- raised
16:05:47 <trackbot> http://www.w3.org/2011/tracking-protection/track/issues/255
16:06:05 <Zakim> +[IPcaller]
16:06:14 <walter> zakim, ipcaller is me
16:06:14 <Zakim> +walter; got it
16:06:15 <npdoty> dsinger: was on Navigator, moved to window because it could have different values
16:06:20 <rvaneijk> rvaneijk has joined #dnt
16:06:30 <npdoty> ... but Anne has suggested that it can vary even if on Navigator
16:06:35 <npdoty> ... waiting to hear back from MSFT
16:06:56 <npdoty> dsinger: responding that it should be a string, not an enum. because the values have different meaning
16:06:58 <fielding> s/JSON as ABNF issue/JSON as ABNF issue (issue-257)/
16:07:08 <npdoty> ... if moved to navigator, it will already be exposed to workers
16:07:19 <vincent> vincent has joined #dnt
16:07:27 <npdoty> ... promise, can return a value if people care to wait for it
16:07:37 <npdoty> q+ on promise/async
16:07:55 <npdoty> ... we should remain aligned with "URI" not "URL"
16:08:05 <npdoty> ... cookie-like, should instead use "cookie domain"
16:08:15 <npdoty> ... we had an explanation string in the API
16:08:30 <npdoty> ... so that the user agent could put up an explanation, but these are horribly open to phishing abuse
16:08:47 <npdoty> ... could be bogus site names or bogus site explanations
16:08:58 <Zakim> +vincent
16:08:59 <npdoty> ... nice to have for the honest sites, but could be used by dishonest sites
16:09:04 <fielding> well, doesn't that phishing concern applies to UGE in general?
16:09:18 <npdoty> q+ on phishing
16:09:32 <walter> fielding: another reason why UGE shouldn't be mandatory
16:09:33 <npdoty> justin: if any concerns, please jump on the q
16:09:34 <Zakim> +rvaneijk
16:09:38 <fielding> s/applies/apply/
16:09:59 <npdoty> dsinger: will make changes. had been waiting on Adrian
16:10:00 <justin_> ack npd
16:10:00 <Zakim> npdoty, you wanted to comment on promise/async and to comment on phishing
16:10:54 <WileyS> I thought we had long agreed we won't disadvantage good actors due to the risk of some bad actors?
16:11:35 <WileyS> UGE should remain mandatory if we want balance in this standard (still not balanced with required UGE but at least its closer)
16:11:40 <fielding> right, the synchronous api occurs after the user grants the exception
16:11:50 <WileyS> client-side call though so not expensive
16:12:36 <moneill2> +q
16:12:50 <justin_> ack mo
16:13:01 <dsinger> my responses are now online at http://www.w3.org/mid/E459EDF6-D22C-4D83-873E-4E6D8C871733@apple.com
16:13:02 <npdoty> npdoty: think it was a question of implementation complexity, if the model were just "storing", then it's simpler to just implement it as void
16:13:06 <walter> WileyS: honestly, I'm sick and tired of calls for 'balance'
16:13:31 <walter> WileyS: you can call for it you want, but the tracking situation is unbalanced to begin with
16:13:32 <npdoty> moneill: no harm in getting the promise even if it's not used
16:14:05 <npdoty> dsinger: need help with respec and returning promises
16:14:10 <WileyS> Walter - free content + tracking = balance
16:14:11 <walter> WileyS: and by now any call for 'balance' cannot be taken seriously as made in good faith
16:14:36 <walter> WileyS: I get tracking by my bank, done by lovely Adobe, that's not balance
16:14:37 <WileyS> walter - I would ask you discontinue with the personal attacks - please be respectful
16:14:41 <npdoty> npdoty: I can help with finding ReSpec/promises editing
16:15:08 <walter> WileyS: I attacked the statement, not the person.
16:15:18 <Zakim> -vincent
16:15:25 <WileyS> "taken seriousaly as made in good faith" is a personal attack
16:16:09 <dsinger> I think the concern is that a really serious tracking site will masquerade as something innocuous and present a threatening request
16:16:45 <WileyS> A bad actor will not expose themselves in such an open manner
16:16:47 <fielding> walter, most likely what you get from your bank is user experience analytics that allows the bank to make sure that your access to your own accounts is not disabled by some fault in their software. We don't call that tracking.
16:17:35 <sidstamm> this is akin to sites calling files things like "Click OK to download free antivirus software or YOUR COMPUTER MAY BE AT RISK.exe", so it appears in the UI as "Would you like to download Click OK to download free..."
16:17:56 <walter> fielding: it is still sharing my browsing behaviour with a 3rd party, meaning Adobe, of my frigging online banking. Mind you, I do not blame Adobe for this.
16:18:10 <justin_> q?
16:18:52 <npdoty> npdoty: will follow up in mailing list. I don't think the phishing comments apply in the same way here, because it isn't access to a resource and would more likely be used in retrospective review, not interactive permissions
16:19:04 <Zakim> -Wendy
16:19:27 <sidstamm> dsinger, :)
16:19:39 <npdoty> dsinger: hearing from experts that we generally should not include that kind of language
16:19:45 <npdoty> justin: following up with the commenters
16:20:11 <npdoty> justin: we had talked about expiration of certain consent or a DNT signal
16:20:16 <Zakim> +Wendy
16:20:19 <npdoty> ... moneill had proposed language for an API on that
16:20:28 <npdoty> moneill2, do you have a link? want to explain?
16:20:41 <dsinger> in general, the modern style is not to include strings that open the door to phishing and other misleading behavior. My inclication is to go with the style here, even if in this case it’s not that serious
16:21:19 <npdoty> moneill: copy expiry and maxAge as parameters in the property bag, and explain what happens if you use both
16:22:03 <dsinger> was there a last-call comment to make this functional change?
16:22:06 <npdoty> ... while JavaScript could remove it, as nick said, that requires javascript, but images that are used for tracking for example
16:22:11 <WileyS> We don't need an "age out" requirement - but its a nice to have option
16:22:19 <sidstamm> dsinger, I'm in agreement with you regarding the string unless there's no requirement that it be displayed to the user; in that case it may eventually have value
16:22:28 <dsinger> I also think that there are good reasons to age cookies, and less good to age exceptions.
16:22:49 <npdoty> not-scribing, sidstamm, dsinger, I think it's definitely the case that it's not required to be displayed to the user
16:23:08 <WileyS> I'm comfortable with it being available as well - just not a requirement for all cases
16:23:17 <npdoty> justin: responding to a Last Call comment about expiration
16:23:31 <justin_> q?
16:23:31 <npdoty> ... have editors reviewed? any objections to the ability for expiration of consent?
16:23:48 <rvaneijk> it was on the list, I will look up the URL
16:23:55 <dsinger> The problem is that if Nefarious detects I am using a UA that DOES display it, then they know the door is open to phishing.  and they can detect the user-agent from headers, of course
16:24:01 <npdoty> http://lists.w3.org/Archives/Public/public-tracking/2014Sep/0108.html
16:24:10 <npdoty> http://lists.w3.org/Archives/Public/public-tracking/2014Sep/att-0108/tpe_expiry.html
16:24:14 <justin_> q?
16:24:46 <npdoty> justin: don't need to resolve it right now, but encourage folks to review it
16:25:01 <justin_> https://www.w3.org/2011/tracking-protection/track/issues/262
16:25:40 <npdoty> agenda+ CfO reminder
16:25:47 <justin_> q?
16:25:49 <WileyS> +q
16:25:55 <npdoty> justin: previous question about real-time bidding
16:25:55 <justin_> ack wiley
16:26:04 <npdoty> ... Shane had expressed interest in responding about it
16:26:19 <npdoty> ... talked about a transitive property of a user's DNT signal
16:26:32 <npdoty> ... most of the bidding environment is server-to-server
16:26:42 <npdoty> ... bidders don't have direct access to client DOM
16:27:05 <fielding> q+
16:27:46 <rvaneijk> Justin, Could you please later on addess Cfo deadline which leads to confusion Oct 8/Oct 9? http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0007.html
16:28:01 <justin_> rvaneijk, Yes, will make clear that it's the 9th.
16:28:08 <justin_> Here and on the list!
16:28:12 <npdoty> ... Rigo had suggested the transitive property, that downstream players would need to adopt the same interpretation as the original server
16:28:17 <rvaneijk> justin, tnx.
16:28:25 <npdoty> ... downstream servers don't have visibility back to what was on the client
16:28:29 <justin_> ack fie
16:28:31 <npdoty> ... can send something more concrete by next week
16:28:41 <npdoty> fielding: would like to look at a concrete proposal.
16:29:05 <npdoty> ... each request comes into the resources independently, every time there's a request, there will be a DNT signal sent
16:29:20 <justin_> q?
16:29:42 <npdoty> ... not a part of the protocol whether DNT: 0 to the bidding server affects a subsequent DNT: 1
16:29:59 <npdoty> WileyS: agree it's more of a compliance discussion
16:30:17 <rvaneijk> Transitivity has been brought up by Rubicon..
16:30:19 <npdoty> justin: is there a relevant Compliance issue?
16:30:34 <npdoty> justin: Shane, if you can think about how it should be dealt with for next week
16:30:37 <justin_> q?
16:30:37 <npdoty> q+
16:30:44 <justin_> ack npd
16:30:53 <fielding> issue-200?
16:30:53 <trackbot> issue-200 -- Transitive exceptions -- open
16:30:53 <trackbot> http://www.w3.org/2011/tracking-protection/track/issues/200
16:32:00 <npdoty> npdoty: I don't think the Rubicon comment about tracking status responses is involved with the possible transitivity of exceptions
16:32:13 <npdoty> ... since it was about Tracking Status Resource responses back to the user from the server
16:32:30 <npdoty> Topic: Reminders
16:33:08 <npdoty> justin: Call for Objections regarding Audience Measurement (inconsistent dates, 8th versus 9th)
16:33:08 <rvaneijk> tnx
16:33:17 <npdoty> ... so will remain open until midnight eastern on the 9th
16:33:25 <npdoty> ... nick will make the questionnaire change as necessary
16:33:48 <npdoty> Topic: Other issues
16:34:24 <npdoty> justin: DNT:0, had been possibly applied to Global Considerations purposes
16:34:39 <npdoty> ... suggestion was that DNT:0 should be clarified to say that it's consent to whatever was requested at the time
16:35:07 <npdoty> moneill: existing talks about "personalized experience", but DNT shouldn't be just about personalization
16:35:23 <dsinger> so, you ask for an exception so you can remember “only your name and eye color” then yes, DNT:0 to that site for that exception had better mean that (this is not limited to us; being misleading is generally frowned on)
16:35:29 <fielding> mike's proposal assumes that the server did a UGE request with consent. What if the user set a general preference for DNT:0?
16:35:54 <dsinger> to fielding: right, we need to distinguish the two cases
16:36:32 <fielding> Please see how I worded it in http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status
16:36:36 <fielding> q+
16:36:50 <npdoty> moneill2: DNT:0 as a general preference, then this specification puts no limitations
16:36:50 <justin_> ack fie
16:37:34 <npdoty> fielding: " This specification does not limit tracking in the presence of DNT:0. Note, however, a party might be limited by its own statements to the user, if any, regarding the DNT:0 setting."
16:37:52 <npdoty> fielding: need to take into account the possibility that DNT:0 is set for all sites
16:38:00 <npdoty> moneill2: that was my intent in the last sentence about general preference
16:38:32 <dsinger> q+
16:38:53 <npdoty> justin: seems to be general agreement that if you're setting a specific DNT:0, you're still bound by what you asked for at the time
16:39:07 <justin_> ack ds
16:39:21 <rvaneijk> fine by me too
16:39:32 <npdoty> moneill2: looks good
16:39:59 <npdoty> dsinger: also covers the case of a privacy policy that affects dnt: 0
16:40:23 <npdoty> action: doty to add language on DNT:0 re scope of consent preference
16:40:24 <trackbot> Created ACTION-460 - Add language on dnt:0 re scope of consent preference [on Nick Doty - due 2014-10-15].
16:40:35 <npdoty> action-460: see fielding language at www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status
16:40:35 <trackbot> Notes added to action-460 Add language on dnt:0 re scope of consent preference.
16:40:44 <dsinger> s/affects DNT:0/makes promises about behavior when DNT:0 is received/
16:40:59 <npdoty> justin: wanted to note on security again
16:41:05 <walter> shane can dislike it all he want, but any other language would be incompatible with most data protection regimes around the world
16:41:13 <justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement
16:41:17 <npdoty> ... Shane had suggested he couldn't accept the graduated response language
16:41:18 <WileyS> Correct - granuated response doesn't work in practice - if anything its the opposite - you start with more data and filter down from there as you can discard non-suspicious activity.
16:41:41 <npdoty> ... assuming that isn't changed, think that a Call for Objections will be the next step
16:41:44 <walter> Then your current practice is incompatible with multiple legal frameworks
16:41:55 <npdoty> justin: related, question about auditing requirement
16:41:58 <WileyS> walter, could you please quote legal resources you're referring to?
16:42:05 <npdoty> ... is there any one actively supporting that proposal?
16:42:15 <justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance
16:42:15 <WileyS> walter, respectfully you are incorrect
16:42:16 <walter> WileyS: of course, European Data Protection Directive, for starters
16:42:23 <fielding> s/granuated/graduated/
16:42:25 <npdoty> issue-203?
16:42:25 <trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open
16:42:25 <trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203
16:42:27 <dsinger> to Wileys: I think if you define graduated as ‘not everything all the time’, allowing for eitehr ramp-up or ramp-down or selected, then it might work
16:42:29 <WileyS> Walter, again, you are incorrect
16:42:52 <walter> WileyS: really? Could you elaborate on what "proportionate" means in that Directive?
16:43:00 <WileyS> DSinger - that could work but I believe the concept of data minimization already captures that concept
16:43:10 <WileyS> s/concept/need
16:43:30 <npdoty> justin: narrowed to set of options
16:43:32 <justin_> q?
16:43:39 <npdoty> ... seemed to be general agreement on the approach
16:43:59 <npdoty> q+
16:44:04 <fielding> q+
16:44:06 <npdoty> ... haven't seen a lot of activity on the list
16:44:07 <justin_> ack npd
16:44:56 <justin_> npdoty: I will follow up on the list with an editorial fix to deal with specific use cases that might be different between the two options.
16:44:57 <WileyS> Proportionate is a defined term: Being in due proportion; proportional.  In the context of the EU Data Protection Directive this is left to organizations to defend their activities as "proportionate" to the need for processing.  Security has been strongly supported as a "proportionate" activity.
16:45:11 <justin_> npdoty: That might help us come to resolution on this.
16:45:17 <justin_> ack fie
16:45:23 <walter> WileyS: it is not a fee-for-all-data and there's quit a bit of guidance from the ECJ on this now
16:45:32 <npdoty> npd: it would be useful if to know if there are specific use cases aren't covered
16:45:52 <walter> WileyS: most importantly the recent data retention decision, which clearly states that mass surveillance is incompatible with notions of proportionality
16:45:54 <rvaneijk> It would be good to see both proposals, without the hyperlink in Roy's proposal
16:46:00 <npdoty> fielding: could make updates to my forked document to cover nick's changes
16:46:14 <WileyS> walter - LOL - if you're referring to the RTFB decision I believe you're comparing apples and oranges.  This particular conversation is not "frutiful" so I'll stop engaging with you now.
16:46:14 <npdoty> action: doty to detail differences between issue-203 proposals
16:46:15 <trackbot> Created ACTION-461 - Detail differences between issue-203 proposals [on Nick Doty - due 2014-10-15].
16:46:25 <walter> WileyS: I'm not refering to Google vs Spain
16:46:31 <justin_> q?
16:46:36 <npdoty> justin: thanks nick for "agreeing" to do that ;)
16:46:37 <Zakim> +vincent
16:46:59 <npdoty> npd: rvaneijk, yeah, I'll try to do that as my action-461
16:47:14 <WileyS> DSinger, the original "graduated response" proposal was specifically start with less and only ramp up later.
16:47:16 <npdoty> npd: fielding, I'm hoping that we can detail differences on the wiki rather than maintaining completely forked versions of the full document
16:47:19 <Zakim> -[FTC]
16:47:31 <npdoty> justin: thanks for call today
16:47:37 <Zakim> -moneill2
16:47:38 <Zakim> -ChrisPedigoOPA
16:47:39 <Zakim> -vincent
16:47:40 <Zakim> -justin_
16:47:40 <Zakim> -[Apple]
16:47:41 <Zakim> -[Mozilla]
16:47:41 <Zakim> -Carl_Cargill
16:47:42 <Zakim> -Wendy
16:47:44 <Zakim> -Jeff
16:47:46 <npdoty> ... reminders about Call for Objections closing tomorrow, which Nick will be sure to update
16:47:46 <Zakim> -walter
16:47:48 <Zakim> -rvaneijk
16:47:49 <Zakim> -WileyS
16:47:49 <npdoty> [adjourned]
16:47:53 <fielding> npdoty, unfortunately the section moves make that difficult
16:47:54 <Zakim> -npdoty
16:48:02 <npdoty> trackbot, end meeting
16:48:02 <trackbot> Zakim, list attendees
16:48:02 <Zakim> As of this point the attendees have been dsinger, Fielding, Carl_Cargill, npdoty, sidstamm, moneill2, hefferjr, [FTC], Jeff, +1.202.558.aaaa, justin_, WileyS, ChrisPedigoOPA,
16:48:05 <Zakim> ... Wendy, walter, vincent, rvaneijk
16:48:10 <trackbot> RRSAgent, please draft minutes
16:48:10 <RRSAgent> I have made the request to generate http://www.w3.org/2014/10/08-dnt-minutes.html trackbot
16:48:11 <trackbot> RRSAgent, bye
16:48:11 <RRSAgent> I see 2 open action items saved in http://www.w3.org/2014/10/08-dnt-actions.rdf :
16:48:11 <RRSAgent> ACTION: doty to add language on DNT:0 re scope of consent preference [1]
16:48:11 <RRSAgent>   recorded in http://www.w3.org/2014/10/08-dnt-irc#T16-40-23
16:48:11 <RRSAgent> ACTION: doty to detail differences between issue-203 proposals [2]
16:48:11 <RRSAgent>   recorded in http://www.w3.org/2014/10/08-dnt-irc#T16-46-14-1