W3C

- DRAFT -

Tracking Protection Working Group Teleconference

08 Oct 2014

See also: IRC log

Attendees

Present
dsinger, Fielding, Carl_Cargill, npdoty, sidstamm, moneill2, hefferjr, [FTC], Jeff, +1.202.558.aaaa, justin_, WileyS, ChrisPedigoOPA, Wendy, walter, vincent, rvaneijk
Regrets
schunter
Chair
justin
Scribe
npdoty

Contents


<trackbot> Date: 08 October 2014

<scribe> scribenick: npdoty

justin: see where we are on closing out Last Call TPE comments, and talk about few remaining TCS issues

TPE

fielding, any outstanding issues?

fielding: JSON as ABNF issue (issue-257). I don't have a proposal, but it'll be editorial

dsinger, can you walk us through your status?

dsinger: sending to public-tracking list

<fielding> http://www.w3.org/2011/tracking-protection/track/products/6

issue-243?

<trackbot> issue-243 -- origin/browsing context terminology -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/243

dsinger: tightening up terminology
... "effective script origin", for example
... align with existing documentation

issue-255?

<trackbot> issue-255 -- comments on doNotTrack property -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/255

dsinger: was on Navigator, moved to window because it could have different values
... but Anne has suggested that it can vary even if on Navigator
... waiting to hear back from MSFT
... responding that it should be a string, not an enum. because the values have different meaning
... if moved to navigator, it will already be exposed to workers
... promise, can return a value if people care to wait for it
... we should remain aligned with "URI" not "URL"
... cookie-like, should instead use "cookie domain"
... we had an explanation string in the API
... so that the user agent could put up an explanation, but these are horribly open to phishing abuse
... could be bogus site names or bogus site explanations
... nice to have for the honest sites, but could be used by dishonest sites

<fielding> well, doesn't that phishing concern apply to UGE in general?

<walter> fielding: another reason why UGE shouldn't be mandatory

justin: if any concerns, please jump on the q

dsinger: will make changes. had been waiting on Adrian

<Zakim> npdoty, you wanted to comment on promise/async and to comment on phishing

<WileyS> I thought we had long agreed we won't disadvantage good actors due to the risk of some bad actors?

<WileyS> UGE should remain mandatory if we want balance in this standard (still not balanced with required UGE but at least its closer)

<fielding> right, the synchronous api occurs after the user grants the exception

<WileyS> client-side call though so not expensive

<moneill2> +q

<dsinger> my responses are now online at http://www.w3.org/mid/E459EDF6-D22C-4D83-873E-4E6D8C871733@apple.com

npdoty: think it was a question of implementation complexity, if the model were just "storing", then it's simpler to just implement it as void

<walter> WileyS: honestly, I'm sick and tired of calls for 'balance'

<walter> WileyS: you can call for it you want, but the tracking situation is unbalanced to begin with

moneill: no harm in getting the promise even if it's not used

dsinger: need help with respec and returning promises

<WileyS> Walter - free content + tracking = balance

<walter> WileyS: and by now any call for 'balance' cannot be taken seriously as made in good faith

<walter> WileyS: I get tracking by my bank, done by lovely Adobe, that's not balance

<WileyS> walter - I would ask you discontinue with the personal attacks - please be respectful

npdoty: I can help with finding ReSpec/promises editing

<walter> WileyS: I attacked the statement, not the person.

<WileyS> "taken seriousaly as made in good faith" is a personal attack

<dsinger> I think the concern is that a really serious tracking site will masquerade as something innocuous and present a threatening request

<WileyS> A bad actor will not expose themselves in such an open manner

<fielding> walter, most likely what you get from your bank is user experience analytics that allows the bank to make sure that your access to your own accounts is not disabled by some fault in their software. We don't call that tracking.

<sidstamm> this is akin to sites calling files things like "Click OK to download free antivirus software or YOUR COMPUTER MAY BE AT RISK.exe", so it appears in the UI as "Would you like to download Click OK to download free..."

<walter> fielding: it is still sharing my browsing behaviour with a 3rd party, meaning Adobe, of my frigging online banking. Mind you, I do not blame Adobe for this.

npdoty: will follow up in mailing list. I don't think the phishing comments apply in the same way here, because it isn't access to a resource and would more likely be used in retrospective review, not interactive permissions

<sidstamm> dsinger, :)

dsinger: hearing from experts that we generally should not include that kind of language

justin: following up with the commenters
... we had talked about expiration of certain consent or a DNT signal
... moneill had proposed language for an API on that

moneill2, do you have a link? want to explain?

<dsinger> in general, the modern style is not to include strings that open the door to phishing and other misleading behavior. My inclication is to go with the style here, even if in this case it’s not that serious

moneill: copy expiry and maxAge as parameters in the property bag, and explain what happens if you use both

<dsinger> was there a last-call comment to make this functional change?

moneill: while JavaScript could remove it, as nick said, that requires javascript, but images that are used for tracking for example

<WileyS> We don't need an "age out" requirement - but its a nice to have option

<sidstamm> dsinger, I'm in agreement with you regarding the string unless there's no requirement that it be displayed to the user; in that case it may eventually have value

<dsinger> I also think that there are good reasons to age cookies, and less good to age exceptions.

not-scribing, sidstamm, dsinger, I think it's definitely the case that it's not required to be displayed to the user

<WileyS> I'm comfortable with it being available as well - just not a requirement for all cases

justin: responding to a Last Call comment about expiration
... have editors reviewed? any objections to the ability for expiration of consent?

<rvaneijk> it was on the list, I will look up the URL

<dsinger> The problem is that if Nefarious detects I am using a UA that DOES display it, then they know the door is open to phishing. and they can detect the user-agent from headers, of course

http://lists.w3.org/Archives/Public/public-tracking/2014Sep/0108.html

http://lists.w3.org/Archives/Public/public-tracking/2014Sep/att-0108/tpe_expiry.html

justin: don't need to resolve it right now, but encourage folks to review it

<justin_> https://www.w3.org/2011/tracking-protection/track/issues/262

<WileyS> +q

justin: previous question about real-time bidding
... Shane had expressed interest in responding about it
... talked about a transitive property of a user's DNT signal
... most of the bidding environment is server-to-server
... bidders don't have direct access to client DOM

<rvaneijk> Justin, Could you please later on addess Cfo deadline which leads to confusion Oct 8/Oct 9? http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0007.html

<justin_> rvaneijk, Yes, will make clear that it's the 9th.

<justin_> Here and on the list!

justin: Rigo had suggested the transitive property, that downstream players would need to adopt the same interpretation as the original server

<rvaneijk> justin, tnx.

justin: downstream servers don't have visibility back to what was on the client
... can send something more concrete by next week

fielding: would like to look at a concrete proposal.
... each request comes into the resources independently, every time there's a request, there will be a DNT signal sent
... not a part of the protocol whether DNT: 0 to the bidding server affects a subsequent DNT: 1

WileyS: agree it's more of a compliance discussion

<rvaneijk> Transitivity has been brought up by Rubicon..

justin: is there a relevant Compliance issue?
... Shane, if you can think about how it should be dealt with for next week

<fielding> issue-200?

<trackbot> issue-200 -- Transitive exceptions -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/200

npdoty: I don't think the Rubicon comment about tracking status responses is involved with the possible transitivity of exceptions
... since it was about Tracking Status Resource responses back to the user from the server

Reminders

justin: Call for Objections regarding Audience Measurement (inconsistent dates, 8th versus 9th)

<rvaneijk> tnx

justin: so will remain open until midnight eastern on the 9th
... nick will make the questionnaire change as necessary

Other issues

justin: DNT:0, had been possibly applied to Global Considerations purposes
... suggestion was that DNT:0 should be clarified to say that it's consent to whatever was requested at the time

moneill: existing talks about "personalized experience", but DNT shouldn't be just about personalization

<dsinger> so, you ask for an exception so you can remember “only your name and eye color” then yes, DNT:0 to that site for that exception had better mean that (this is not limited to us; being misleading is generally frowned on)

<fielding> mike's proposal assumes that the server did a UGE request with consent. What if the user set a general preference for DNT:0?

<dsinger> to fielding: right, we need to distinguish the two cases

<fielding> Please see how I worded it in http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status

moneill2: DNT:0 as a general preference, then this specification puts no limitations

fielding: " This specification does not limit tracking in the presence of DNT:0. Note, however, a party might be limited by its own statements to the user, if any, regarding the DNT:0 setting."
... need to take into account the possibility that DNT:0 is set for all sites

moneill2: that was my intent in the last sentence about general preference

justin: seems to be general agreement that if you're setting a specific DNT:0, you're still bound by what you asked for at the time

<rvaneijk> fine by me too

moneill2: looks good

dsinger: also covers the case of a privacy policy that affects dnt: 0

<scribe> ACTION: doty to add language on DNT:0 re scope of consent preference [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action01]

<trackbot> Created ACTION-460 - Add language on dnt:0 re scope of consent preference [on Nick Doty - due 2014-10-15].

action-460: see fielding language at www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status

<trackbot> Notes added to action-460 Add language on dnt:0 re scope of consent preference.

<dsinger> s/affects DNT:0/makes promises about behavior when DNT:0 is received/

justin: wanted to note on security again

<walter> shane can dislike it all he want, but any other language would be incompatible with most data protection regimes around the world

<justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement

justin: Shane had suggested he couldn't accept the graduated response language

<WileyS> Correct - graduated response doesn't work in practice - if anything its the opposite - you start with more data and filter down from there as you can discard non-suspicious activity.

justin: assuming that isn't changed, think that a Call for Objections will be the next step

<walter> Then your current practice is incompatible with multiple legal frameworks

justin: related, question about auditing requirement

<WileyS> walter, could you please quote legal resources you're referring to?

justin: is there any one actively supporting that proposal?

<justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance

<WileyS> walter, respectfully you are incorrect

<walter> WileyS: of course, European Data Protection Directive, for starters

issue-203?

<trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203

<dsinger> to Wileys: I think if you define graduated as ‘not everything all the time’, allowing for eitehr ramp-up or ramp-down or selected, then it might work

<WileyS> Walter, again, you are incorrect

<walter> WileyS: really? Could you elaborate on what "proportionate" means in that Directive?

<WileyS> DSinger - that could work but I believe the concept of data minimization already captures that need

justin: narrowed to set of options
... seemed to be general agreement on the approach
... haven't seen a lot of activity on the list

<justin_> npdoty: I will follow up on the list with an editorial fix to deal with specific use cases that might be different between the two options.

<WileyS> Proportionate is a defined term: Being in due proportion; proportional. In the context of the EU Data Protection Directive this is left to organizations to defend their activities as "proportionate" to the need for processing. Security has been strongly supported as a "proportionate" activity.

<justin_> npdoty: That might help us come to resolution on this.

<walter> WileyS: it is not a fee-for-all-data and there's quit a bit of guidance from the ECJ on this now

npd: it would be useful if to know if there are specific use cases aren't covered

<walter> WileyS: most importantly the recent data retention decision, which clearly states that mass surveillance is incompatible with notions of proportionality

<rvaneijk> It would be good to see both proposals, without the hyperlink in Roy's proposal

fielding: could make updates to my forked document to cover nick's changes

<WileyS> walter - LOL - if you're referring to the RTFB decision I believe you're comparing apples and oranges. This particular conversation is not "frutiful" so I'll stop engaging with you now.

<scribe> ACTION: doty to detail differences between issue-203 proposals [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action02]

<trackbot> Created ACTION-461 - Detail differences between issue-203 proposals [on Nick Doty - due 2014-10-15].

<walter> WileyS: I'm not refering to Google vs Spain

justin: thanks nick for "agreeing" to do that ;)

npd: rvaneijk, yeah, I'll try to do that as my action-461

<WileyS> DSinger, the original "graduated response" proposal was specifically start with less and only ramp up later.

npd: fielding, I'm hoping that we can detail differences on the wiki rather than maintaining completely forked versions of the full document

justin: thanks for call today
... reminders about Call for Objections closing tomorrow, which Nick will be sure to update

[adjourned]

<fielding> npdoty, unfortunately the section moves make that difficult

trackbot, end meeting

Summary of Action Items

[NEW] ACTION: doty to add language on DNT:0 re scope of consent preference [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action01]
[NEW] ACTION: doty to detail differences between issue-203 proposals [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action02]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-10-08 16:48:45 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/JSON as ABNF issue/JSON as ABNF issue (issue-257)/
Succeeded: s/applies/apply/
FAILED: s/affects DNT:0/makes promises about behavior when DNT:0 is received/
Succeeded: s/granuated/graduated/
Succeeded: s/concept/need/
Found ScribeNick: npdoty
Inferring Scribes: npdoty
Default Present: dsinger, Fielding, Carl_Cargill, npdoty, sidstamm, moneill2, hefferjr, [FTC], Jeff, +1.202.558.aaaa, justin_, WileyS, ChrisPedigoOPA, Wendy, walter, vincent, rvaneijk
Present: dsinger Fielding Carl_Cargill npdoty sidstamm moneill2 hefferjr [FTC] Jeff +1.202.558.aaaa justin_ WileyS ChrisPedigoOPA Wendy walter vincent rvaneijk
Regrets: schunter
Found Date: 08 Oct 2014
Guessing minutes URL: http://www.w3.org/2014/10/08-dnt-minutes.html
People with action items: doty

[End of scribe.perl diagnostic output]