IRC log of dnt on 2014-10-08

Timestamps are in UTC.

15:59:51 [RRSAgent]

RRSAgent has joined #dnt

15:59:51 [RRSAgent]

logging to http://www.w3.org/2014/10/08-dnt-irc

15:59:53 [trackbot]

RRSAgent, make logs world

15:59:55 [trackbot]

Zakim, this will be TRACK

15:59:55 [Zakim]

ok, trackbot, I see T&S_Track(dnt)12:00PM already started

15:59:56 [trackbot]

Meeting: Tracking Protection Working Group Teleconference

15:59:56 [trackbot]

Date: 08 October 2014

15:59:56 [npdoty]

chair: justin

16:00:00 [npdoty]

regrets+ schunter

16:00:10 [sidstamm]

sidstamm has joined #dnt

16:00:19 [Zakim]

+Carl_Cargill

16:00:20 [jeff]

jeff has joined #dnt

16:00:28 [ChrisPedigoDCN]

ChrisPedigoDCN has joined #dnt

16:00:30 [Zakim]

+[Mozilla]

16:00:39 [Zakim]

+[IPcaller]

16:00:43 [Zakim]

+npdoty

16:00:47 [sidstamm]

Zakim, Mozilla has me

16:00:47 [Zakim]

+sidstamm; got it

16:00:50 [Carl_Cargill]

Carl_Cargill has joined #dnt

16:00:51 [moneill2]

zakim, [IPCaller] is me

16:00:51 [Zakim]

+moneill2; got it

16:00:54 [Zakim]

+hefferjr

16:00:56 [npdoty]

Zakim, who is making noise?

16:01:01 [npdoty]

Zakim, who is on the phone?

16:01:01 [Zakim]

On the phone I see [Apple], Fielding, Carl_Cargill, [Mozilla], moneill2, npdoty, hefferjr

16:01:03 [Zakim]

[Apple] has dsinger

16:01:03 [Zakim]

[Mozilla] has sidstamm

16:01:07 [Zakim]

npdoty, listening for 10 seconds I heard sound from the following: 7 (55%), Carl_Cargill (4%), [Apple] (74%)

16:01:08 [Zakim]

+[FTC]

16:01:40 [Zakim]

+Jeff

16:01:41 [WileyS]

WileyS has joined #dnt

16:01:56 [justin_]

justin_ has joined #dnt

16:02:37 [Zakim]

+ +1.202.558.aaaa

16:02:41 [justin_]

zakim, who is on the phone?

16:02:41 [Zakim]

On the phone I see [Apple], Fielding, Carl_Cargill, [Mozilla], moneill2, npdoty, hefferjr, [FTC], Jeff, +1.202.558.aaaa

16:02:44 [Zakim]

[Apple] has dsinger

16:02:44 [Zakim]

[Mozilla] has sidstamm

16:02:44 [justin_]

zakim, aaaa is me

16:02:46 [Zakim]

+justin_; got it

16:03:02 [Zakim]

+WileyS

16:03:15 [npdoty]

scribenick: npdoty

16:03:41 [npdoty]

justin: see where we are on closing out Last Call TPE comments, and talk about few remaining TCS issues

16:03:45 [npdoty]

Topic: TPE

16:03:58 [Zakim]

+ChrisPedigoOPA

16:03:59 [npdoty]

fielding, any outstanding issues?

16:04:13 [npdoty]

fielding: JSON as ABNF issue. I don't have a proposal, but it'll be editorial

16:04:26 [npdoty]

dsinger, can you walk us through your status?

16:04:36 [npdoty]

dsinger: sending to public-tracking list

16:05:09 [fielding]

http://www.w3.org/2011/tracking-protection/track/products/6

16:05:12 [npdoty]

issue-243?

16:05:12 [trackbot]

issue-243 -- origin/browsing context terminology -- raised

16:05:12 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/243

16:05:20 [npdoty]

dsinger: tightening up terminology

16:05:39 [npdoty]

... "effective script origin", for example

16:05:42 [Zakim]

+Wendy

16:05:43 [npdoty]

... align with existing documentation

16:05:47 [npdoty]

issue-255?

16:05:47 [trackbot]

issue-255 -- comments on doNotTrack property -- raised

16:05:47 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/255

16:06:05 [Zakim]

+[IPcaller]

16:06:14 [walter]

zakim, ipcaller is me

16:06:14 [Zakim]

+walter; got it

16:06:15 [npdoty]

dsinger: was on Navigator, moved to window because it could have different values

16:06:20 [rvaneijk]

rvaneijk has joined #dnt

16:06:30 [npdoty]

... but Anne has suggested that it can vary even if on Navigator

16:06:35 [npdoty]

... waiting to hear back from MSFT

16:06:56 [npdoty]

dsinger: responding that it should be a string, not an enum. because the values have different meaning

16:06:58 [fielding]

s/JSON as ABNF issue/JSON as ABNF issue (issue-257)/

16:07:08 [npdoty]

... if moved to navigator, it will already be exposed to workers

16:07:19 [vincent]

vincent has joined #dnt

16:07:27 [npdoty]

... promise, can return a value if people care to wait for it

16:07:37 [npdoty]

q+ on promise/async

16:07:55 [npdoty]

... we should remain aligned with "URI" not "URL"

16:08:05 [npdoty]

... cookie-like, should instead use "cookie domain"

16:08:15 [npdoty]

... we had an explanation string in the API

16:08:30 [npdoty]

... so that the user agent could put up an explanation, but these are horribly open to phishing abuse

16:08:47 [npdoty]

... could be bogus site names or bogus site explanations

16:08:58 [Zakim]

+vincent

16:08:59 [npdoty]

... nice to have for the honest sites, but could be used by dishonest sites

16:09:04 [fielding]

well, doesn't that phishing concern applies to UGE in general?

16:09:18 [npdoty]

q+ on phishing

16:09:32 [walter]

fielding: another reason why UGE shouldn't be mandatory

16:09:33 [npdoty]

justin: if any concerns, please jump on the q

16:09:34 [Zakim]

+rvaneijk

16:09:38 [fielding]

s/applies/apply/

16:09:59 [npdoty]

dsinger: will make changes. had been waiting on Adrian

16:10:00 [justin_]

ack npd

16:10:00 [Zakim]

npdoty, you wanted to comment on promise/async and to comment on phishing

16:10:54 [WileyS]

I thought we had long agreed we won't disadvantage good actors due to the risk of some bad actors?

16:11:35 [WileyS]

UGE should remain mandatory if we want balance in this standard (still not balanced with required UGE but at least its closer)

16:11:40 [fielding]

right, the synchronous api occurs after the user grants the exception

16:11:50 [WileyS]

client-side call though so not expensive

16:12:36 [moneill2]

+q

16:12:50 [justin_]

ack mo

16:13:01 [dsinger]

my responses are now online at http://www.w3.org/mid/E459EDF6-D22C-4D83-873E-4E6D8C871733@apple.com

16:13:02 [npdoty]

npdoty: think it was a question of implementation complexity, if the model were just "storing", then it's simpler to just implement it as void

16:13:06 [walter]

WileyS: honestly, I'm sick and tired of calls for 'balance'

16:13:31 [walter]

WileyS: you can call for it you want, but the tracking situation is unbalanced to begin with

16:13:32 [npdoty]

moneill: no harm in getting the promise even if it's not used

16:14:05 [npdoty]

dsinger: need help with respec and returning promises

16:14:10 [WileyS]

Walter - free content + tracking = balance

16:14:11 [walter]

WileyS: and by now any call for 'balance' cannot be taken seriously as made in good faith

16:14:36 [walter]

WileyS: I get tracking by my bank, done by lovely Adobe, that's not balance

16:14:37 [WileyS]

walter - I would ask you discontinue with the personal attacks - please be respectful

16:14:41 [npdoty]

npdoty: I can help with finding ReSpec/promises editing

16:15:08 [walter]

WileyS: I attacked the statement, not the person.

16:15:18 [Zakim]

-vincent

16:15:25 [WileyS]

"taken seriousaly as made in good faith" is a personal attack

16:16:09 [dsinger]

I think the concern is that a really serious tracking site will masquerade as something innocuous and present a threatening request

16:16:45 [WileyS]

A bad actor will not expose themselves in such an open manner

16:16:47 [fielding]

walter, most likely what you get from your bank is user experience analytics that allows the bank to make sure that your access to your own accounts is not disabled by some fault in their software. We don't call that tracking.

16:17:35 [sidstamm]

this is akin to sites calling files things like "Click OK to download free antivirus software or YOUR COMPUTER MAY BE AT RISK.exe", so it appears in the UI as "Would you like to download Click OK to download free..."

16:17:56 [walter]

fielding: it is still sharing my browsing behaviour with a 3rd party, meaning Adobe, of my frigging online banking. Mind you, I do not blame Adobe for this.

16:18:10 [justin_]

q?

16:18:52 [npdoty]

npdoty: will follow up in mailing list. I don't think the phishing comments apply in the same way here, because it isn't access to a resource and would more likely be used in retrospective review, not interactive permissions

16:19:04 [Zakim]

-Wendy

16:19:27 [sidstamm]

dsinger, :)

16:19:39 [npdoty]

dsinger: hearing from experts that we generally should not include that kind of language

16:19:45 [npdoty]

justin: following up with the commenters

16:20:11 [npdoty]

justin: we had talked about expiration of certain consent or a DNT signal

16:20:16 [Zakim]

+Wendy

16:20:19 [npdoty]

... moneill had proposed language for an API on that

16:20:28 [npdoty]

moneill2, do you have a link? want to explain?

16:20:41 [dsinger]

in general, the modern style is not to include strings that open the door to phishing and other misleading behavior. My inclication is to go with the style here, even if in this case it’s not that serious

16:21:19 [npdoty]

moneill: copy expiry and maxAge as parameters in the property bag, and explain what happens if you use both

16:22:03 [dsinger]

was there a last-call comment to make this functional change?

16:22:06 [npdoty]

... while JavaScript could remove it, as nick said, that requires javascript, but images that are used for tracking for example

16:22:11 [WileyS]

We don't need an "age out" requirement - but its a nice to have option

16:22:19 [sidstamm]

dsinger, I'm in agreement with you regarding the string unless there's no requirement that it be displayed to the user; in that case it may eventually have value

16:22:28 [dsinger]

I also think that there are good reasons to age cookies, and less good to age exceptions.

16:22:49 [npdoty]

not-scribing, sidstamm, dsinger, I think it's definitely the case that it's not required to be displayed to the user

16:23:08 [WileyS]

I'm comfortable with it being available as well - just not a requirement for all cases

16:23:17 [npdoty]

justin: responding to a Last Call comment about expiration

16:23:31 [justin_]

q?

16:23:31 [npdoty]

... have editors reviewed? any objections to the ability for expiration of consent?

16:23:48 [rvaneijk]

it was on the list, I will look up the URL

16:23:55 [dsinger]

The problem is that if Nefarious detects I am using a UA that DOES display it, then they know the door is open to phishing. and they can detect the user-agent from headers, of course

16:24:01 [npdoty]

http://lists.w3.org/Archives/Public/public-tracking/2014Sep/0108.html

16:24:10 [npdoty]

http://lists.w3.org/Archives/Public/public-tracking/2014Sep/att-0108/tpe_expiry.html

16:24:14 [justin_]

q?

16:24:46 [npdoty]

justin: don't need to resolve it right now, but encourage folks to review it

16:25:01 [justin_]

https://www.w3.org/2011/tracking-protection/track/issues/262

16:25:40 [npdoty]

agenda+ CfO reminder

16:25:47 [justin_]

q?

16:25:49 [WileyS]

+q

16:25:55 [npdoty]

justin: previous question about real-time bidding

16:25:55 [justin_]

ack wiley

16:26:04 [npdoty]

... Shane had expressed interest in responding about it

16:26:19 [npdoty]

... talked about a transitive property of a user's DNT signal

16:26:32 [npdoty]

... most of the bidding environment is server-to-server

16:26:42 [npdoty]

... bidders don't have direct access to client DOM

16:27:05 [fielding]

q+

16:27:46 [rvaneijk]

Justin, Could you please later on addess Cfo deadline which leads to confusion Oct 8/Oct 9? http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0007.html

16:28:01 [justin_]

rvaneijk, Yes, will make clear that it's the 9th.

16:28:08 [justin_]

Here and on the list!

16:28:12 [npdoty]

... Rigo had suggested the transitive property, that downstream players would need to adopt the same interpretation as the original server

16:28:17 [rvaneijk]

justin, tnx.

16:28:25 [npdoty]

... downstream servers don't have visibility back to what was on the client

16:28:29 [justin_]

ack fie

16:28:31 [npdoty]

... can send something more concrete by next week

16:28:41 [npdoty]

fielding: would like to look at a concrete proposal.

16:29:05 [npdoty]

... each request comes into the resources independently, every time there's a request, there will be a DNT signal sent

16:29:20 [justin_]

q?

16:29:42 [npdoty]

... not a part of the protocol whether DNT: 0 to the bidding server affects a subsequent DNT: 1

16:29:59 [npdoty]

WileyS: agree it's more of a compliance discussion

16:30:17 [rvaneijk]

Transitivity has been brought up by Rubicon..

16:30:19 [npdoty]

justin: is there a relevant Compliance issue?

16:30:34 [npdoty]

justin: Shane, if you can think about how it should be dealt with for next week

16:30:37 [justin_]

q?

16:30:37 [npdoty]

q+

16:30:44 [justin_]

ack npd

16:30:53 [fielding]

issue-200?

16:30:53 [trackbot]

issue-200 -- Transitive exceptions -- open

16:30:53 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/200

16:32:00 [npdoty]

npdoty: I don't think the Rubicon comment about tracking status responses is involved with the possible transitivity of exceptions

16:32:13 [npdoty]

... since it was about Tracking Status Resource responses back to the user from the server

16:32:30 [npdoty]

Topic: Reminders

16:33:08 [npdoty]

justin: Call for Objections regarding Audience Measurement (inconsistent dates, 8th versus 9th)

16:33:08 [rvaneijk]

tnx

16:33:17 [npdoty]

... so will remain open until midnight eastern on the 9th

16:33:25 [npdoty]

... nick will make the questionnaire change as necessary

16:33:48 [npdoty]

Topic: Other issues

16:34:24 [npdoty]

justin: DNT:0, had been possibly applied to Global Considerations purposes

16:34:39 [npdoty]

... suggestion was that DNT:0 should be clarified to say that it's consent to whatever was requested at the time

16:35:07 [npdoty]

moneill: existing talks about "personalized experience", but DNT shouldn't be just about personalization

16:35:23 [dsinger]

so, you ask for an exception so you can remember “only your name and eye color” then yes, DNT:0 to that site for that exception had better mean that (this is not limited to us; being misleading is generally frowned on)

16:35:29 [fielding]

mike's proposal assumes that the server did a UGE request with consent. What if the user set a general preference for DNT:0?

16:35:54 [dsinger]

to fielding: right, we need to distinguish the two cases

16:36:32 [fielding]

Please see how I worded it in http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status

16:36:36 [fielding]

q+

16:36:50 [npdoty]

moneill2: DNT:0 as a general preference, then this specification puts no limitations

16:36:50 [justin_]

ack fie

16:37:34 [npdoty]

fielding: " This specification does not limit tracking in the presence of DNT:0. Note, however, a party might be limited by its own statements to the user, if any, regarding the DNT:0 setting."

16:37:52 [npdoty]

fielding: need to take into account the possibility that DNT:0 is set for all sites

16:38:00 [npdoty]

moneill2: that was my intent in the last sentence about general preference

16:38:32 [dsinger]

q+

16:38:53 [npdoty]

justin: seems to be general agreement that if you're setting a specific DNT:0, you're still bound by what you asked for at the time

16:39:07 [justin_]

ack ds

16:39:21 [rvaneijk]

fine by me too

16:39:32 [npdoty]

moneill2: looks good

16:39:59 [npdoty]

dsinger: also covers the case of a privacy policy that affects dnt: 0

16:40:23 [npdoty]

action: doty to add language on DNT:0 re scope of consent preference

16:40:24 [trackbot]

Created ACTION-460 - Add language on dnt:0 re scope of consent preference [on Nick Doty - due 2014-10-15].

16:40:35 [npdoty]

action-460: see fielding language at www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status

16:40:35 [trackbot]

Notes added to action-460 Add language on dnt:0 re scope of consent preference.

16:40:44 [dsinger]

s/affects DNT:0/makes promises about behavior when DNT:0 is received/

16:40:59 [npdoty]

justin: wanted to note on security again

16:41:05 [walter]

shane can dislike it all he want, but any other language would be incompatible with most data protection regimes around the world

16:41:13 [justin_]

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement

16:41:17 [npdoty]

... Shane had suggested he couldn't accept the graduated response language

16:41:18 [WileyS]

Correct - granuated response doesn't work in practice - if anything its the opposite - you start with more data and filter down from there as you can discard non-suspicious activity.

16:41:41 [npdoty]

... assuming that isn't changed, think that a Call for Objections will be the next step

16:41:44 [walter]

Then your current practice is incompatible with multiple legal frameworks

16:41:55 [npdoty]

justin: related, question about auditing requirement

16:41:58 [WileyS]

walter, could you please quote legal resources you're referring to?

16:42:05 [npdoty]

... is there any one actively supporting that proposal?

16:42:15 [justin_]

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

16:42:15 [WileyS]

walter, respectfully you are incorrect

16:42:16 [walter]

WileyS: of course, European Data Protection Directive, for starters

16:42:23 [fielding]

s/granuated/graduated/

16:42:25 [npdoty]

issue-203?

16:42:25 [trackbot]

issue-203 -- Use of "tracking" in third-party compliance -- open

16:42:25 [trackbot]

http://www.w3.org/2011/tracking-protection/track/issues/203

16:42:27 [dsinger]

to Wileys: I think if you define graduated as ‘not everything all the time’, allowing for eitehr ramp-up or ramp-down or selected, then it might work

16:42:29 [WileyS]

Walter, again, you are incorrect

16:42:52 [walter]

WileyS: really? Could you elaborate on what "proportionate" means in that Directive?

16:43:00 [WileyS]

DSinger - that could work but I believe the concept of data minimization already captures that concept

16:43:10 [WileyS]

s/concept/need

16:43:30 [npdoty]

justin: narrowed to set of options

16:43:32 [justin_]

q?

16:43:39 [npdoty]

... seemed to be general agreement on the approach

16:43:59 [npdoty]

q+

16:44:04 [fielding]

q+

16:44:06 [npdoty]

... haven't seen a lot of activity on the list

16:44:07 [justin_]

ack npd

16:44:56 [justin_]

npdoty: I will follow up on the list with an editorial fix to deal with specific use cases that might be different between the two options.

16:44:57 [WileyS]

Proportionate is a defined term: Being in due proportion; proportional. In the context of the EU Data Protection Directive this is left to organizations to defend their activities as "proportionate" to the need for processing. Security has been strongly supported as a "proportionate" activity.

16:45:11 [justin_]

npdoty: That might help us come to resolution on this.

16:45:17 [justin_]

ack fie

16:45:23 [walter]

WileyS: it is not a fee-for-all-data and there's quit a bit of guidance from the ECJ on this now

16:45:32 [npdoty]

npd: it would be useful if to know if there are specific use cases aren't covered

16:45:52 [walter]

WileyS: most importantly the recent data retention decision, which clearly states that mass surveillance is incompatible with notions of proportionality

16:45:54 [rvaneijk]

It would be good to see both proposals, without the hyperlink in Roy's proposal

16:46:00 [npdoty]

fielding: could make updates to my forked document to cover nick's changes

16:46:14 [WileyS]

walter - LOL - if you're referring to the RTFB decision I believe you're comparing apples and oranges. This particular conversation is not "frutiful" so I'll stop engaging with you now.

16:46:14 [npdoty]

action: doty to detail differences between issue-203 proposals

16:46:15 [trackbot]

Created ACTION-461 - Detail differences between issue-203 proposals [on Nick Doty - due 2014-10-15].

16:46:25 [walter]

WileyS: I'm not refering to Google vs Spain

16:46:31 [justin_]

q?

16:46:36 [npdoty]

justin: thanks nick for "agreeing" to do that ;)

16:46:37 [Zakim]

+vincent

16:46:59 [npdoty]

npd: rvaneijk, yeah, I'll try to do that as my action-461

16:47:14 [WileyS]

DSinger, the original "graduated response" proposal was specifically start with less and only ramp up later.

16:47:16 [npdoty]

npd: fielding, I'm hoping that we can detail differences on the wiki rather than maintaining completely forked versions of the full document

16:47:19 [Zakim]

-[FTC]

16:47:31 [npdoty]

justin: thanks for call today

16:47:37 [Zakim]

-moneill2

16:47:38 [Zakim]

-ChrisPedigoOPA

16:47:39 [Zakim]

-vincent

16:47:40 [Zakim]

-justin_

16:47:40 [Zakim]

-[Apple]

16:47:41 [Zakim]

-[Mozilla]

16:47:41 [Zakim]

-Carl_Cargill

16:47:42 [Zakim]

-Wendy

16:47:44 [Zakim]

-Jeff

16:47:46 [npdoty]

... reminders about Call for Objections closing tomorrow, which Nick will be sure to update

16:47:46 [Zakim]

-walter

16:47:48 [Zakim]

-rvaneijk

16:47:49 [Zakim]

-WileyS

16:47:49 [npdoty]

[adjourned]

16:47:53 [fielding]

npdoty, unfortunately the section moves make that difficult

16:47:54 [Zakim]

-npdoty

16:48:02 [npdoty]

trackbot, end meeting

16:48:02 [trackbot]

Zakim, list attendees

16:48:02 [Zakim]

As of this point the attendees have been dsinger, Fielding, Carl_Cargill, npdoty, sidstamm, moneill2, hefferjr, [FTC], Jeff, +1.202.558.aaaa, justin_, WileyS, ChrisPedigoOPA,

16:48:05 [Zakim]

... Wendy, walter, vincent, rvaneijk

16:48:10 [trackbot]

RRSAgent, please draft minutes

16:48:10 [RRSAgent]

I have made the request to generate http://www.w3.org/2014/10/08-dnt-minutes.html trackbot