See also: IRC log
<trackbot> Date: 22 October 2014
<fielding> I didn't make any progress this week, sadly
<npdoty> scribenick: kulick
justin: next week TPAC for W3C meeting, so no call next week
2 TPE issues
<justin> issue-262?
<trackbot> issue-262 -- guidance regarding server responses and timing -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/262
issue 262
scribe: we talked about DNT
signal when passing on outside of browser/client
... nick sent something last night
<justin> Nick's proposal: http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0082.html
npdoty: you might be talking to alot of servers and not know in advacnce
<WileyS> +q
npdoty: we already have a
signal... we might be able to use
... tk headers might not be good for 24 hrs
... very small change to cache response headers
... we can respond to commeter about using ?
shane: 2nd part of nick
... 's email covered whther bid recp can use and Nick felt
couldnt be use
... (paraphrasing) nick brought up race condition, shane feels
it is edge case
<npdoty> wileys is referring to a separate email, my response about recent knowledge: http://www.w3.org/mid/F6D11A37-A720-4DD6-916E-013F64DC2FE3@w3.org
<fielding> agree with Nick's summary; basically, we just need to say that the Tk response's TSV applies to the current request and the resource-specific tracking status resource would have to be specific to the winning bidder
shane: we can solve vast majority and could find acceptable solution to very high edge case
<moneill2> +q
<WileyS> Changing their DNT setting wouldn't change the UGE
npdoty: some cases where svr has more accurate info where exception... there are also cases where users change DNT settings... not sure which are more likely... i was trying to get across that users would lose confdence if they kept getting signals back related to the signal
<WileyS> Nick, are you saying their is a "special mode" that invalidates all previously provided UGEs?
<walter> WileyS: do you foresee usage of UGE in a DNT:0 situation?
<walter> ah, ok, I get your point
<WileyS> Walter, no need for a UGE in a DNT:0 situation.
vincent: unclear to meif these are data processors or service provider
<npdoty> WileyS, I could imagine a UA that gave me a setting for a private browsing mode, where it would always send DNT:1, even while DNT:0 is configured for some servers
<npdoty> I personally would use that mode when researching medical issues, for example
vincent: not clear how it is going to work
justin: huh?
<WileyS> Nick, UGE trumps DNT:1 - even in a "private mode"
vincent: bidders might not prov response at same time... are they SPs?
<WileyS> Nick, we've not created a DNT signal that trumps all previous UGEs
justin: ad network is not a data processr, but a SP
<vincent> no they are not even SP
<vincent> and I don't hink justin said that either
<justin> vincent, right I don't think they are service providers.
<npdoty> Wileys, an advantage of storing DNT:0 in the user agent is that the user can control them, and decide not to keep the exception at all times
<walter> kulick: ad network _is_ a data processor
mike: the ad exchg to respond would have to have a memory of the user
<walter> kulick: but I would agree that they are attributable to the 1st party
<WileyS> Nick, we're storing the UGE with the UA - that's the point.
(sorry botu that... thx walter)
justin: what are implications of that?
<walter> but it proves the problem of the 1st/3rd party distinction
mike: i dont think shane's is an
answer
... wrt dynamic response... how does it calc it?
<Zakim> npdoty, you wanted to respond about service provider
npdoty: maybe they are the same
<WileyS> An "Ad Exchange" then communicates to "Ad Networks" - just so we're all clear
npdoty: the end user is copmm with ad server... servers are comm'ing with other servers
<vincent> but they are still sharing the data with several entites
npdoty: whoever wins bid needs to send response value
<WileyS> In many transactions the bid winner never communicates with the UA
<WileyS> The Ad Exchange simply serves the ad if they're holding the creative
justin: bid losers wouldnt be able to signal anything?
npdoty: yep
mike: (scribe fail)
<WileyS> The ad network has the user's identity through cookie mapping
<npdoty> yeah, the contents of the request are forwarded along, as I understand it
<npdoty> ... which would include cookies and URL parameters
<walter> which is problematic indeed
justin: clear division of value4s
trying to be addressed, likely to go CfO
... want to give another week to find compriomise
<WileyS> My concern is that everyone doesn't appear to be very clear on how an Ad Exchange works.
justin: folks invited to respond to proposals
speaker?
rob?
<vincent> will the cfo be on the tehcnical solution or the fact that ad-exhcange can propagate teh signal when they receive DNT:1?
<walter> WileyS: I'm very willing to be educated on that topic, and so are others I presume
rvaneijk: anyway to differientiate targeted v. non targeted ad?
<WileyS> The Ad Exchange doesn't know - and there isn't a signal to pass that information on to the Ad Exchange by the bid winner today (something we're working on in the AdChoices Metadata working group)
justin: (scribe fail)
<npdoty> justin: tracking is not identical to whether a particular ad is targeted
<WileyS> All Ad Exchanges all support all forms of ad serving
rvaneijk: if one sets DNT, they dont want targeting, therefore, trying to understand at protocol level if distinction can be made
<moneill2> +q
<Zakim> npdoty, you wanted to comment on what our options are
<WileyS> contextual, retargeting, profiling, demo, etc.
npdoty: wrt to auctions... i want
to understand the caching of tk headers
... are all options represented currently?
mike: if ad ex doesnt pass uniq
id for that user
... that would be fine wrt DNT
... the key is
... is the ad exch allow to pass downstream uniq user id
<WileyS> It needs to pass an ID to support even basic ad serving (zero targeting)
justin: if no uniq, does fall
under tracking
... (scribe fail)
<WileyS> Ad networks need to retain some information even for basic billing and security purposes
<npdoty> right, in theory, you could pass only the URL, stripped of any identifiers/cookies/etc, to other servers and certainly not be tracking
vincent: 3rd proposal, if ad exch gets DNT:1
what?
<vincent> sure
<npdoty> WileyS, but for the exchange model, is the ad exchange retaining data for more than just the purposes of the fulfilling ad or ad network
roy: note: our conv last week was
related to response had to be valid for 24 hrs
... tk_respnse header field would be for current response
only
<WileyS> Nick, no - there are strict contractual controls which only allow the bid winner to retain data for the purpose of processing.
roy, is that accurate?
<WileyS> Will do
justin: Shane, please provide your objections to Nick's proposal... please write it up for digestion for folks
<npdoty> WileyS, great. so I think we are good with the service provider definition as is.
<WileyS> Sure
rvaneijk: Shane, can I re-input it for later this week?
justin: anyone else on this issue?
<fielding> close enough … Nick and I talked about the 24-hour issue last week after the call and decided that making the Tk header field indicate only for the current request would be sufficient for Shane's use case
justin: roy, please iterate on
nick's proposal, shane please send your obj
... hard issue, we have more work to do on this one
... close on most of remaining issues
<justin> issue-266?
<trackbot> issue-266 -- automatic expiration of a tracking preference exception via API parameter -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/266
justin: some discussion about
issue 266
... any objections to mike's suggestion to add parameters
in?
<WileyS> As long as they aren't mandatory. They won't ever be used (not voluntarily)
justin: any objs if params arent used if they go away
<npdoty> WileyS, I think the suggestion is that it would be an optional parameter.
justin: pls dscribe nick
<WileyS> "At risk" means that if no one implements the feature then it will be removed from the standard
npdoty: when going to call for
implementation... if no one imps feature and we called feature
at-risk, then we would remove
... this would happen before proposed recommendation
mike: want to hear from browser companies
<npdoty> +1, getting feedback from browsers would be useful. as would feedback from sites that would want to use it
<fielding> I think the current plan is to add some expiration or max-use (delta seconds) values to the UGE interfaces in a way that won't effect the interface signature.
rvaneijk: imp not relevant for us, but that the toolbox retains such a feature
sorry correction
rvaneijk: imp not as relevant for us, but that the toolbox retains such a feature
justin: nick, thoughts on that?
npdoty: main issue is that it slows down procees to convergence
justin: (scribe fail)
... other process might conflict with at-risk status
... torn at at-risk status... maybe I should email for
thots
rvaneijk: (bg noise... having trouble deciphering)
<npdoty> if we expect no one will start implementing or try to use for a number of years, and we can't convince any browsers to implement it before then, I'm concerned about including it
thx npdoty
<npdoty> but if it's likely to see regulatory requirements and be useful, then I hope we can convince implementation (or some alternative) sooner, rather than later
justin: one more new issues that nick found
<justin> issue-267?
<trackbot> issue-267 -- registration of DNT/Tk header fields and ./well-known/dnt URI -- raised
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/267
justin: issue 267
npdoty: it is a last call
comment
... track header fields and URIs for standards...
need to follow process to share these
justin: when?
roy: whenever we want
... once registered, can't un-reg
<npdoty> are we planning to change any of these names, though?
justin: roy, can u remind us on your todo list?
roy: with new ones today, i have describe JSON formats
<npdoty> +1, we don't care :)
roy: no one in working group cares about these changes
<walter> +1
justin: anything else on TPE?
<crickets>
<justin> issue-24?
<trackbot> issue-24 -- Possible exemption for fraud detection and defense -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/24
scribe: now issue 24
... shane obj to graduated resp... he and david worked on some
new lang.... nick was going to propose a merger of some lang he
had objs to
npdoty: I have submited propose yet
justin: on isse 235 on auditability
<npdoty> ACTION: doty to propose merger of security language [recorded in http://www.w3.org/2014/10/22-dnt-minutes.html#action01]
<trackbot> Created ACTION-462 - Propose merger of security language [on Nick Doty - due 2014-10-29].
justin: shane and amy mentioned not sure what it meant
<walter> Yes, I will do so
justin: asked walter to craft
guidance lang
... want to share walter?
walter: i'll provide write up with general principles and current thinking
justin: okay
walter: more focused on gen principles and not prescriptive
<npdoty> walter, were you looking for non-normative examples? or normative requirements?
justin: good, but some specificity might be helpful to get meeting of the minds
<justin> issue-148?
<trackbot> issue-148 -- What does DNT:0 mean? -- pending review
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/148
justin: two more issues
... iusssue 148
... def of DNT:0
<walter> npdoty: I want to encapsulate some general EPD auditing principles or refer to them, but that takes some looking into global standards in that field
<npdoty> " When a user sends a DNT:0 signal, the user is expressing a preference to allow tracking. This recommendation places no restrictions on collection or use of data from network interactions with DNT:0 signals. Note, however, that a party might be limited by its own statements to the user regarding the DNT:0 setting. "
justin: nick sent some lang on this to the group... nick, care to describe?
<walter> npdoty: luckily I have some EDP auditors around at my day job
<fielding> http://lists.w3.org/Archives/Public/public-tracking/2014Oct/0085.html
npdoty: please provide
feedback.... took away personalization, just speaks to tracking
and some statements related to UGEs
... I would appreciate review
<moneill2> npdoty, that text ok with me
<walter> Yes, I would support such language
justin: consent you give is limited by the offer presented
<scribe> ... pending review... raise concerns people
<npdoty> great.
UNKNOWN_SPEAKER: final issue 203
<justin> issue-203?
<trackbot> issue-203 -- Use of "tracking" in third-party compliance -- open
<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/203
UNKNOWN_SPEAKER: how to use
tracking in the document
... stuck on ths for a while... roy proposed a considerable
re-writting...
<npdoty> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Third_Party_Compliance
UNKNOWN_SPEAKER: not sure how to
resolve... nick and roy are generally agreemd on what we want
to accomplish... not agreeing on implementation of lang
... personally, I don't care
<moneill2> +q
UNKNOWN_SPEAKER: anyone within the group have strong feelings on this one?
<WileyS> There are no restrictions on user IDs...?
mike: user ids, i prefer david's proposal b/c it retains user id restrictions, Roy's doesnt have this, right?
justin: i am confused by your
statement
... both relate to tracking data
... both would include uniq ids
... not seeing the delta you are referencing
roy: (scribe fail)
mike: check out david's section (normative bit)
<npdoty> I don't think there's a difference, except for where that paragraph is located
mike: my POV is the approach of having some personal data b/c has id and is going acrtoss contexts is a problem
<fielding> "Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action MUST NOT collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses MUST NOT place a unique identifier in cookies or other browser-based local storage mechanisms."
justin: data min lang is agreed
upon and close issue
... (paraphrase) we've covered this in data min
<WileyS> None are reasonably available so that solves that issue...
justin: roy are you proposing to elim that lang
roy: yes
justin: this is a long standing core issue...
<npdoty> that language ^ above is present in both proposals, though in different sections
justin: this is resolved previously
mike: (scribe fail)
roy: i was thinking do not add thinks that you do not need
justin: do redundant?
... so redundant?
<WileyS> Have to drop a bit early - apologies (heading to the airport and its raining so may take longer that I hope)
roy: yes
justin: conceptually, you dont see a diff between yours and david's?
roy: no, there is a diff
... not in david's b/c his scope is less
... diff example: (paraphrase) can collect a cookie and not
retain, therefore is not breaking DNT
... accepting cookies (which could be an id) isn't necessarily
mean there is tracking, but way it is wrtiten, this doesnt
match
(scirbe is waiting for conclusion to paraphase etire conv)
justin: I dont see diff, just need to convey clearly
npdoty: i dont see a big difference
npdoty: there is something else
in gen req section
... see 3.4.1.1
justin: do you see a delta between yours and david/nick's?
roy: most of mine is
editorial...
... my prim concern is the TPE has reqs around tracking dta and
TCS has reqs around 1st and 3rd and imps dont know (for the
most part) when they are 1st vs. 3rd party
... if re-phrased as what I claim to be instead of what I am,
that takes care of editorial disctintion
... rest is readability really
... making permitted uses applicable to all parties, with one
exception (scribe missed bvery end)
justin: distinction appears to be
meaningful
... nick are you okay moving to that model?
... do you agree with Roy's concern?
npdoty: useful to know it is
mostly editorial
... i am for consistency
... i thot we already agreed on lang about i thot I was a 1st
party... i dont see mneed to re-write, but if just editorial
and we need to have clarity, then I have something to do
justin: i think is editorial, but want to hear from others and will harrass you on email to answer
rvaneijk: question about audeince3 measure -- whatis the status
justion: working on it and will
have something in 2 weeks (next call)
... bye great folks
<npdoty> trackbot, end meeting
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/0/)/ Found ScribeNick: kulick Inferring Scribes: kulick Default Present: Fielding, npdoty, hefferjr, Wendy, +31.65.275.aaaa, walter, Carl_Cargill, rvaneijk, kulick, Chris_Pedigo, justin, moneill2, eberkower, WileyS, vincent Present: Fielding npdoty hefferjr Wendy +31.65.275.aaaa walter Carl_Cargill rvaneijk kulick Chris_Pedigo justin moneill2 eberkower WileyS vincent Regrets: dsinger WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Found Date: 22 Oct 2014 Guessing minutes URL: http://www.w3.org/2014/10/22-dnt-minutes.html People with action items: doty[End of scribe.perl diagnostic output]