See also: IRC log
<trackbot> Date: 08 October 2014
<scribe> scribenick: npdoty
justin: see where we are on closing out Last Call TPE comments, and talk about few remaining TCS issues
fielding, any outstanding issues?
fielding: JSON as ABNF issue (issue-257). I don't have a proposal, but it'll be editorial
dsinger, can you walk us through your status?
dsinger: sending to public-tracking list
<fielding> http://www.w3.org/2011/tracking-protection/track/products/6
issue-243?
<trackbot> issue-243 -- origin/browsing context terminology -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/243
dsinger: tightening up
terminology
... "effective script origin", for example
... align with existing documentation
issue-255?
<trackbot> issue-255 -- comments on doNotTrack property -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/255
dsinger: was on Navigator, moved
to window because it could have different values
... but Anne has suggested that it can vary even if on
Navigator
... waiting to hear back from MSFT
... responding that it should be a string, not an enum. because
the values have different meaning
... if moved to navigator, it will already be exposed to
workers
... promise, can return a value if people care to wait for
it
... we should remain aligned with "URI" not "URL"
... cookie-like, should instead use "cookie domain"
... we had an explanation string in the API
... so that the user agent could put up an explanation, but
these are horribly open to phishing abuse
... could be bogus site names or bogus site explanations
... nice to have for the honest sites, but could be used by
dishonest sites
<fielding> well, doesn't that phishing concern apply to UGE in general?
<walter> fielding: another reason why UGE shouldn't be mandatory
justin: if any concerns, please jump on the q
dsinger: will make changes. had been waiting on Adrian
<Zakim> npdoty, you wanted to comment on promise/async and to comment on phishing
<WileyS> I thought we had long agreed we won't disadvantage good actors due to the risk of some bad actors?
<WileyS> UGE should remain mandatory if we want balance in this standard (still not balanced with required UGE but at least its closer)
<fielding> right, the synchronous api occurs after the user grants the exception
<WileyS> client-side call though so not expensive
<moneill2> +q
<dsinger> my responses are now online at http://www.w3.org/mid/E459EDF6-D22C-4D83-873E-4E6D8C871733@apple.com
npdoty: think it was a question of implementation complexity, if the model were just "storing", then it's simpler to just implement it as void
<walter> WileyS: honestly, I'm sick and tired of calls for 'balance'
<walter> WileyS: you can call for it you want, but the tracking situation is unbalanced to begin with
moneill: no harm in getting the promise even if it's not used
dsinger: need help with respec and returning promises
<WileyS> Walter - free content + tracking = balance
<walter> WileyS: and by now any call for 'balance' cannot be taken seriously as made in good faith
<walter> WileyS: I get tracking by my bank, done by lovely Adobe, that's not balance
<WileyS> walter - I would ask you discontinue with the personal attacks - please be respectful
npdoty: I can help with finding ReSpec/promises editing
<walter> WileyS: I attacked the statement, not the person.
<WileyS> "taken seriousaly as made in good faith" is a personal attack
<dsinger> I think the concern is that a really serious tracking site will masquerade as something innocuous and present a threatening request
<WileyS> A bad actor will not expose themselves in such an open manner
<fielding> walter, most likely what you get from your bank is user experience analytics that allows the bank to make sure that your access to your own accounts is not disabled by some fault in their software. We don't call that tracking.
<sidstamm> this is akin to sites calling files things like "Click OK to download free antivirus software or YOUR COMPUTER MAY BE AT RISK.exe", so it appears in the UI as "Would you like to download Click OK to download free..."
<walter> fielding: it is still sharing my browsing behaviour with a 3rd party, meaning Adobe, of my frigging online banking. Mind you, I do not blame Adobe for this.
npdoty: will follow up in mailing list. I don't think the phishing comments apply in the same way here, because it isn't access to a resource and would more likely be used in retrospective review, not interactive permissions
<sidstamm> dsinger, :)
dsinger: hearing from experts that we generally should not include that kind of language
justin: following up with the
commenters
... we had talked about expiration of certain consent or a DNT
signal
... moneill had proposed language for an API on that
moneill2, do you have a link? want to explain?
<dsinger> in general, the modern style is not to include strings that open the door to phishing and other misleading behavior. My inclication is to go with the style here, even if in this case it’s not that serious
moneill: copy expiry and maxAge as parameters in the property bag, and explain what happens if you use both
<dsinger> was there a last-call comment to make this functional change?
moneill: while JavaScript could remove it, as nick said, that requires javascript, but images that are used for tracking for example
<WileyS> We don't need an "age out" requirement - but its a nice to have option
<sidstamm> dsinger, I'm in agreement with you regarding the string unless there's no requirement that it be displayed to the user; in that case it may eventually have value
<dsinger> I also think that there are good reasons to age cookies, and less good to age exceptions.
not-scribing, sidstamm, dsinger, I think it's definitely the case that it's not required to be displayed to the user
<WileyS> I'm comfortable with it being available as well - just not a requirement for all cases
justin: responding to a Last Call
comment about expiration
... have editors reviewed? any objections to the ability for
expiration of consent?
<rvaneijk> it was on the list, I will look up the URL
<dsinger> The problem is that if Nefarious detects I am using a UA that DOES display it, then they know the door is open to phishing. and they can detect the user-agent from headers, of course
http://lists.w3.org/Archives/Public/public-tracking/2014Sep/0108.html
http://lists.w3.org/Archives/Public/public-tracking/2014Sep/att-0108/tpe_expiry.html
justin: don't need to resolve it right now, but encourage folks to review it
<justin_> https://www.w3.org/2011/tracking-protection/track/issues/262
<WileyS> +q
justin: previous question about
real-time bidding
... Shane had expressed interest in responding about it
... talked about a transitive property of a user's DNT
signal
... most of the bidding environment is server-to-server
... bidders don't have direct access to client DOM
<rvaneijk> Justin, Could you please later on addess Cfo deadline which leads to confusion Oct 8/Oct 9? http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0007.html
<justin_> rvaneijk, Yes, will make clear that it's the 9th.
<justin_> Here and on the list!
justin: Rigo had suggested the transitive property, that downstream players would need to adopt the same interpretation as the original server
<rvaneijk> justin, tnx.
justin: downstream servers don't
have visibility back to what was on the client
... can send something more concrete by next week
fielding: would like to look at a
concrete proposal.
... each request comes into the resources independently, every
time there's a request, there will be a DNT signal sent
... not a part of the protocol whether DNT: 0 to the bidding
server affects a subsequent DNT: 1
WileyS: agree it's more of a compliance discussion
<rvaneijk> Transitivity has been brought up by Rubicon..
justin: is there a relevant
Compliance issue?
... Shane, if you can think about how it should be dealt with
for next week
<fielding> issue-200?
<trackbot> issue-200 -- Transitive exceptions -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/200
npdoty: I don't think the Rubicon
comment about tracking status responses is involved with the
possible transitivity of exceptions
... since it was about Tracking Status Resource responses back
to the user from the server
justin: Call for Objections regarding Audience Measurement (inconsistent dates, 8th versus 9th)
<rvaneijk> tnx
justin: so will remain open until
midnight eastern on the 9th
... nick will make the questionnaire change as necessary
justin: DNT:0, had been possibly
applied to Global Considerations purposes
... suggestion was that DNT:0 should be clarified to say that
it's consent to whatever was requested at the time
moneill: existing talks about "personalized experience", but DNT shouldn't be just about personalization
<dsinger> so, you ask for an exception so you can remember “only your name and eye color” then yes, DNT:0 to that site for that exception had better mean that (this is not limited to us; being misleading is generally frowned on)
<fielding> mike's proposal assumes that the server did a UGE request with consent. What if the user set a general preference for DNT:0?
<dsinger> to fielding: right, we need to distinguish the two cases
<fielding> Please see how I worded it in http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status
moneill2: DNT:0 as a general preference, then this specification puts no limitations
fielding: " This specification
does not limit tracking in the presence of DNT:0. Note,
however, a party might be limited by its own statements to the
user, if any, regarding the DNT:0 setting."
... need to take into account the possibility that DNT:0 is set
for all sites
moneill2: that was my intent in the last sentence about general preference
justin: seems to be general agreement that if you're setting a specific DNT:0, you're still bound by what you asked for at the time
<rvaneijk> fine by me too
moneill2: looks good
dsinger: also covers the case of a privacy policy that affects dnt: 0
<scribe> ACTION: doty to add language on DNT:0 re scope of consent preference [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action01]
<trackbot> Created ACTION-460 - Add language on dnt:0 re scope of consent preference [on Nick Doty - due 2014-10-15].
action-460: see fielding language at www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203b.html#communicating-tracking-status
<trackbot> Notes added to action-460 Add language on dnt:0 re scope of consent preference.
<dsinger> s/affects DNT:0/makes promises about behavior when DNT:0 is received/
justin: wanted to note on security again
<walter> shane can dislike it all he want, but any other language would be incompatible with most data protection regimes around the world
<justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement
justin: Shane had suggested he couldn't accept the graduated response language
<WileyS> Correct - graduated response doesn't work in practice - if anything its the opposite - you start with more data and filter down from there as you can discard non-suspicious activity.
justin: assuming that isn't changed, think that a Call for Objections will be the next step
<walter> Then your current practice is incompatible with multiple legal frameworks
justin: related, question about auditing requirement
<WileyS> walter, could you please quote legal resources you're referring to?
justin: is there any one actively supporting that proposal?
<justin_> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance
<WileyS> walter, respectfully you are incorrect
<walter> WileyS: of course, European Data Protection Directive, for starters
issue-203?
<trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203
<dsinger> to Wileys: I think if you define graduated as ‘not everything all the time’, allowing for eitehr ramp-up or ramp-down or selected, then it might work
<WileyS> Walter, again, you are incorrect
<walter> WileyS: really? Could you elaborate on what "proportionate" means in that Directive?
<WileyS> DSinger - that could work but I believe the concept of data minimization already captures that need
justin: narrowed to set of
options
... seemed to be general agreement on the approach
... haven't seen a lot of activity on the list
<justin_> npdoty: I will follow up on the list with an editorial fix to deal with specific use cases that might be different between the two options.
<WileyS> Proportionate is a defined term: Being in due proportion; proportional. In the context of the EU Data Protection Directive this is left to organizations to defend their activities as "proportionate" to the need for processing. Security has been strongly supported as a "proportionate" activity.
<justin_> npdoty: That might help us come to resolution on this.
<walter> WileyS: it is not a fee-for-all-data and there's quit a bit of guidance from the ECJ on this now
npd: it would be useful if to know if there are specific use cases aren't covered
<walter> WileyS: most importantly the recent data retention decision, which clearly states that mass surveillance is incompatible with notions of proportionality
<rvaneijk> It would be good to see both proposals, without the hyperlink in Roy's proposal
fielding: could make updates to my forked document to cover nick's changes
<WileyS> walter - LOL - if you're referring to the RTFB decision I believe you're comparing apples and oranges. This particular conversation is not "frutiful" so I'll stop engaging with you now.
<scribe> ACTION: doty to detail differences between issue-203 proposals [recorded in http://www.w3.org/2014/10/08-dnt-minutes.html#action02]
<trackbot> Created ACTION-461 - Detail differences between issue-203 proposals [on Nick Doty - due 2014-10-15].
<walter> WileyS: I'm not refering to Google vs Spain
justin: thanks nick for "agreeing" to do that ;)
npd: rvaneijk, yeah, I'll try to do that as my action-461
<WileyS> DSinger, the original "graduated response" proposal was specifically start with less and only ramp up later.
npd: fielding, I'm hoping that we can detail differences on the wiki rather than maintaining completely forked versions of the full document
justin: thanks for call
today
... reminders about Call for Objections closing tomorrow, which
Nick will be sure to update
[adjourned]
<fielding> npdoty, unfortunately the section moves make that difficult
trackbot, end meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/JSON as ABNF issue/JSON as ABNF issue (issue-257)/ Succeeded: s/applies/apply/ FAILED: s/affects DNT:0/makes promises about behavior when DNT:0 is received/ Succeeded: s/granuated/graduated/ Succeeded: s/concept/need/ Found ScribeNick: npdoty Inferring Scribes: npdoty Default Present: dsinger, Fielding, Carl_Cargill, npdoty, sidstamm, moneill2, hefferjr, [FTC], Jeff, +1.202.558.aaaa, justin_, WileyS, ChrisPedigoOPA, Wendy, walter, vincent, rvaneijk Present: dsinger Fielding Carl_Cargill npdoty sidstamm moneill2 hefferjr [FTC] Jeff +1.202.558.aaaa justin_ WileyS ChrisPedigoOPA Wendy walter vincent rvaneijk Regrets: schunter Found Date: 08 Oct 2014 Guessing minutes URL: http://www.w3.org/2014/10/08-dnt-minutes.html People with action items: doty[End of scribe.perl diagnostic output]