<wseltzer> Draft minutes from day 1

Session 5: Privacy and Identity

<wseltzer> Greg's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/norcieDigimarketing.pdf

<inserted> scribenick: oyiptong

greg: https a baseline for security
... mixed content is harmful. 20% of advertisers do not support https
... mixed content attack: australian voting site
... https supported, but 3rd party javascript used an outdated version of TLS vulnerable to FREAK attack

<wseltzer> greg: FREAK attack, renegotiation to export crypto -- crypto weak enough to give to our enemies in the '90s

greg: votes for the australian voting websites coud've been modified
... best practices: 1) use HSTS 2) use certificate pinning 3) use TLS not SSL
... data breaches due to failure to implement https may be seen as unfair businesspractice under FTC's section 5 authority

<wseltzer> greg's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/norcieDigimarketing.pdf

<wseltzer> USEMP Velti slides: http://www.w3.org/2015/digital-marketing-workshop/slides/USEMP-VELTI-privacy-aware%20digital%20marketing.pdf

<wseltzer> tmichalareas: USEMP vision for privacy-aware digital marketing

<wseltzer> http://www.usemp-project.eu/

tmichalareas: identified a number of issues around privacy on the internet
... should be developing tools for feedback and control by users
... economic awareness: provide feedback and control to the user about the value of the data they share
... there should be transparency about how they are being targeted
... vision: should be possible to know what personal data is accessible, who is requesting this data and for what purpose
... vision: should be possible to know what the value the data has, should be able to opt-in/out to 3rd parties and to access the derived data (inferences/classifications) relating to his/her profile
... there should be new business models generated where the user is on the receiving end of a financial transaction about their data
... could use DNT to reject ads. interest graph is computed locally by the browser, new targeting happens locally by the browser, ads use this interest graph

<inserted> scribenick: wseltzer

oyiptong: I have code for you, we worked on this
... but challenges: how do you expose to the user what they're about to share
... how do you change as user interests change?
... how do you prevent advertisers from combinig this info with data they already have?

gnorcie: contractual options

oyiptong: many people don't like the contractual hammer
... also, it's hard to audit

tmichalareas: deployment model for smart ads could be data never leaves the browser
... we're going to run a pilot in the next year

BradHill: if you give info to everyone from the browser, you're still sharing with everyone

tmichalareas: if you only share transaction ID

oyiptong: it's very hard to implement client-side decision-making without sharing data

<oyiptong> reza: additive suggestion, requires a standard. many tried it, it has tremendous potential

reza: lots of promise in local computing of preferences, connections to schema.org,

stevez: how do you deal with someone who doesn't own a computer; doesn't own a phone; or uses multiple browsers?

tmichalareas: perhaps we start with simple case, separate interest graphs per-browser

stevez: I can record that I purchased something, so I don't keep getting ads for it

BrendanIAB: I've heard several points at which this tech was designed to be inserted: extension, proxy
... but the way to derive value from data is to prevent others from accruing it
... so it's antagonistic to business models
... it's not exactly friendly
... once you establish buisiness relationships, you have behavioral data in one place, demographic data in another
... so you have to send your proprietary behavioral algorithms to an untrusted client
... and/or send non-behavioral data to the client, which you might be prevented from by contract, privacy risk

tmichalareas: it seems we're near a tipping point now regarding tracking

gnorcie: issue of consent, opt-out

<oyiptong> greg: consent is important for tracking

<oyiptong> greg: fingerprinting/super-cookie are OK in europe, but users need a way to opt out

BrendanIAB: companies that are circumventing ad-blocking are seeing higher click-through and conversion rates

Dutta: RTB 2.3 should require TLS on all communications

marktorrance: tipping point for us as DSP was when a major supplier switched to HTTPS (YouTube)

bhill2: RTB spec is IAB's; there are hard latency requirements, and also technical work that can improve the server-server communicaitons
... there should be an equivalent of istlsfastyet for those measurements and tunings

marktorrance: how could client-side targeting work? At Rocket Fuel, we have 10k ads at one time
... we're not going to preload all of those
... and if we don't preload, act of requesting some will leak informaiton
... so we're going to be on the current system for a while yet
... rich areas for W3C in standardization, taxonomies, product data

keiji: Thanks!
... summary of issues: deployment of HTTPS, local-side targeting

Session 6: Connections

khoya: Kazuhiro Hoya, Fuji Television Network

[slides will be available after]

khoya: Linear TV viewing is still strong

<keiji> khoya: Over 30Gbits/sec traffic for 7 sec traffic down the streaming service.

khoya: challenge, TV and other viewing devices don't have same tracking ID

<keiji> khoya: How to link devices with TV is issue.

khoya: TV in Japan has unique serial number that can be obtained in HTTP transaction

<keiji> khoya: TV has unique serial No., MAC, and old data broad cast tech is being used.

<keiji> khoya: 1 kb NVRAM data is used as cookie.

<keiji> khoya: Hybird TV service (2012-) use HTML5 and CSS.

<keiji> khoya: use Ureg/Greg 16kB each is used.

<keiji> khoya: How to aggrigate user data. Interactive Content, QR-code, HybridTV.

<keiji> khoya: Privacy is traumatized issues in Japan.

<keiji> khoya: Intrusive Agreement is another issue.

<keiji> khoya: Privacy Agreement Survey shows different kinds of terms and condition were preferd.

<keiji> khoya: Same Agreement is prefered for all broadcasters as umbrella.

khoya: umbrella agreement much easier to get people's assent
... Toshiba's TV-Point service, joint project with CCC shoppng point
... offers mileage points for logging of data
... non-exclusive agreement for 3d party use.

<keiji> khoya: CCC/T-point is used as user identifier on TV products from Toshiba with Non-exclusive agreement for 3rd party use.

khoya: caused problems.
... as broadcasters, we think the stare of the market should improve

jinhong: Jinhong Yang, KAIST

<keiji> Jinhong: from KAIST presents Content Sharing on Mobile Browser

jinhong's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/PositionPaper_ShareTag.pdf

<keiji> jinhong: when we share a new on the website.

jinhong: share tag would trigger buttons for users' installed apps

<keiji> jinhong: proposed idea is to have icons to express services to share user data.

dezell: David Ezell, NACS

dezell's slides: http://www.w3.org/2015/digital-marketing-workshop/slides/DigitalMarketingandPayments.pdf

<keiji> David: from NACS digital marketing and payment

dezell: about 153,000 retail petroleum outlets, "convenience stores"
... in the US

<keiji> dezell: Review of NACS Industry Requirements

dezell: many of them single-store operators
... digital marketing is really important to brick-and-mortar stores
... also brands who distribute to convenience stores

<keiji> dezell: will talk on web payment.

dezell: Web Payments

<keiji> dezell: is co-chair of web payment IG.

dezell: mobile wallet, your interface with lots of these technologies
... I'm looking for feedback for the Web Payments group.

<keiji> dezell: Things have changed marchandize have more channel to their customer.

<keiji> dezell: Transaction will become more complex, consumer-centric & safer.

dezell: about 153M transactions a day in C-stores; that's opportunities to interact with consumers

<keiji> dezell: consumer need to be kept impressing.

dezell: consumers don't want yet another single-purpose app
... transaction of the future, you'll get dozens of offers; consumer wants to know, what's the best deal?
... merchants are thinking "own the customer," and "reduce costs"

<keiji> dezell: merchants want to own their costomer while costomer do not want multiple apps.

dezell: other considerations on payments: what's a legal purchase, an offer, taxation, additional payment methods (SNAP)
... Petroleum cards among the earliest credit cards, loyalty programs
... Flash Foods, centralized loyalty program
... saved money by establishing own ACH program, that covered the costs of loyalty program.
... digital marketing needs to be able to promote brands, individual products, product categories, individual merchants, payment service providers, and payment schemes

<keiji> dezell: Digital wallet app require digtal offers to answer their questions.

reza: Connecting digital to the physical world, outside interactions

<keiji> khoya: T-point is a point program on merchants is now used to link to TV watching behavior data for advertisement.

<keiji> dezell: Petro pyament now has point system with America express.

BradL: advertising displays at gas stations, why aren't they targeted?

<keiji> Satya: How TV can detect other devices in house?

<keiji> khoya: Now we do not have mechanism to link devices may use user ID application can be used.

<keiji> khoya: T-point may be used to like those costomer devices.

<keiji> Satya: Amazon has chash back now. Will digital wallet have such function?

<keiji> dezell: We are now developing use cases that may include such function.

bhill2: "tracking" is fundamental to payments, reducing fraud
... long precedent of credit card companies selling data offline

<keiji> bhill: Human tracking and payment is interesting topic what do you think linking those data to advertisement or selling those data.

dezell: MC agreement with merchants says, for any txn in which MC is a party, MC is the sole owner of the data. NACS concerned aobut that.

<keiji> dezell: People are going to connect those data.

<keiji> dezell: I donot know what that means.

davidhumpherys: with credit card payments, my data is only as secure as the collection of merchants I've used. What are digital payments doing?

dezell: tokenization

<keiji> david: how digital wallet can manage trust of merchants.

<keiji> dezell: We are working on tokenization to protect security of payment.

<keiji> david: My data will still remain on the server side.

dezell: my definition of credential: a statement of fact

<keiji> dezell: we work on related issues in credential CG.

dezell: authentication asymptotically moves toward identity

<keiji> dezell: credential can be used to prove a fact.

<keiji> dezell: Authentication is used to authenticate credential that is my understanding that may not be accurate.

bhill2: non-binary approach, does my confidence exceed my risk

<keiji> wseltzer: differnet groups are using terms in different ways.

<keiji> ted: IP address is being used as unique identifire. Is it the best way?

<keiji> khoya: IP address is being shared among differnt users sometimes e.g. in huge apartment.

<keiji> khoya: It is not accurate so we are not using it as identifier.

<keiji> wseltzer: How meta-data work with share button on mobile e-mail apprications?

<keiji> jinhong: User can have applications works on their smartphone to handle user operation.

<keiji> dutta: Is there any way to link devices used by same user?

<keiji> khoya: There are no specific technology has been developed.

betehess: re share button, you can use schema.org "share" action
... maybe need an API to register services
... but don't need new markup

<keiji> keiji: UPnP may help to detect other devices on local network.

<betehess> small clarification: schema:ShareAction doesn't seem to implement the same use-case, but that's the right approach

<betehess> link http://schema.org/ShareAction

[lunch]

Running Code

dankaminsky: WhiteOps
... I like the Web!
... it's always up to date
... continuous integration
... that model has now won, to the point that Windows is shipping like web pages
... Web pages just show up, you don't have to install an app
... Don't need permission to write a page
... Independent broker, depends on
... 1) same-origin policy. You can run anything you want, so long as it's on your own content
... 2) the web is mostly safe. If you don't like a site, close it

<keiji> dankaminsky: Malvertising Trap should we block ads? It is not web.

<keiji> dankaminsky: Off-site navigation is a terrible design.

<keiji> dankaminsky: demonstration with slightly modified chrome.

[demo of ways to change page element visibility]

[multiply nested iframe]

<keiji> dankaminsky: You can modify appearance of web window freely.

[now, requestVisibility]

dankaminsky: either you're fully visible, or you're not visible and you know

<inserted> scribenick: keiji

dankaminsky: We take out image object under layear of iframe.
... I am going to post the code to the chrome engineer forum.
... We made output accessibility on top of existing framework.

<wseltzer> dankaminsky: if you have input exclusivity and output visibility, we can start talking about the address bar, indications to user

<wseltzer> ... make it easier for users to interact with users in a trusted manner

dankaminsky: Messing address bar is dangerous. We are dangerous persons.

BradL: If widow come from other app does this still protect?

dankaminsky: My assumption is attack from same application(window).

Andre: If we have multiple frame come from same window what happen?

dankaminsky: It is undefined.
... iframe is all around web being used various purposes.

BrendanIAB: Viewability can be access from parent window?

dankaminsky: Parent can know their child works normal. We can detect attacks ageinst the frames.
... timestamp is not moving.

mark: does filter still work on top of the frame?

dankaminsky: if it is unmodified it works.

<wseltzer> dankaminsky: you can do what you want in the iframe, it won't be affected by what else is sent

<wseltzer> marktorrance: much ad tech goes through multiple intermediaries. who should use ironframe?

<wseltzer> dankaminsky: nested ironframe needs to specced out

<wseltzer> marktorrance: what's the path forward? standards?

marktorrance: does this work only on chrome?

<wseltzer> dankaminksy: after 15 years, I finally joined a standards body

<wseltzer> dankaminsky: ancestorOrigins is part of the spec plan

dankaminksy: working with browser vendors and working for standardization as well.

<wseltzer> jwold: I'm going to demo Ad-ID, download XMP, add it to some assets

jwold: We have authentication model id/password on https.
... we have concepts of groups and accounts.
... explains function of ad-ID management system.
... This works would be based on contract.
... I am making meta-data for ad-ID management.

<wseltzer> [demo of the Ad-ID metadata creation]

jwold: I made a demo how we can make systems to exchange meta-data with standardized way.

jworld: product ID can be stored but not associated with anything here.

wseltzer: we would like to discuss what would be next by reviewing what we had done this two days.

dezell: We may need to form IG or CG.
... UI and web accessibility is important issue we should work on.

BradL: we need to way to control user tracking like standard for script to announce its purpose.

ccc: feature like sandbox and UI are important.

reza: browser support is necessary.

alex: standard for data sharing scaling, social search may be needed.

Andre: topcs blocking, measuring, isolation etc may be need to disucss. Do not know where is the appropriate to discuss on those issues.

wseltzer: way to have more little data may be required.

chad: we need to distinguish bot from others.
... Authenticity is important for anti-bot, anti-malvertisement.

ddd: we need to identify good practices.

BrendanIAB: We have been talking on giving users more choices but publishers do not have chance to indicate their preferences.
... How site can express their preference may be needed.

dankaminsky: What kind of Internet/Web we would like to provide is the key issue.

BradL: security and performance are key issues.

chad: feedback for retargeting may be useful.

Amazon is trying to avoid to give feedback because that may leak user’s privacy.

bhill: : Amazon is trying to avoid to give feedback because that may leak user’s privacy.
... it is difficult to give feedback while protecting user’s privacy.

dutta: We should think from what we want.

wseltzer: iron frame concept is comming to W3C web app security working group. If you are interested in you can participate.
... sandboxing is also things we may work on.
... Server side ad stitching and https (server-server) are other topics need to be solved.

bhill: isolation and federated contents

dankaminsky: cross origin resouce integrity is hard to manage. Server side integration may work well.

BrendanIAB: responsibility issue (root of trust) have to be solved to have single stream of contents.

dankaminsky: I would like to think network channel and security channel separatedly.

keiji: client side (local) targeting is a topic many people are interested in.

Andre: Tracking interaction

BrendanIAB: IAB has API for ads on video

wseltzer: we may be able launch a community group to identify needs of new standards.
... Web Payment activity may be related to your needs in some aspect so we encourrage you to participate.
... linking local devices and users may be another required feature.
... Web payment -> payment IG
... sanbox -> webApp sec wg

eee: security / Malvertising and data collection should be considered differently.

wseltzer: we need to cooperatively work on these issues.
... user agent support for marketing -> CG
... permissions/requests -> WebAppSec WG(API) + permission CG

;-) -> wseltzer

wseltzer: data sharing, sclaeing, social sarch, inter-op action -> scheme.org for marketing??

<wseltzer> wseltzer: Thanks to Chad and Nielsen for hosting in great facilities

<wseltzer> ... Thanks to Reza for co-chairing and Adobe's sponsorship

<wseltzer> ... and thanks to all participants and Program Committee

<wseltzer> [adjourned]

<wseltzer> trackbot, end meeting

<wseltzer> scribes: keiji, oyiptong, wseltzer

This is scribe.perl Revision: 1.140  of Date: 2014-11-06 18:16:30  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/is used/is prefered/
Succeeded: s/David/dezell/
Succeeded: s/sitll/still/
Succeeded: s/aaa/BradL/
Succeeded: s/mark:/marktorrance:/
Succeeded: s/bbb/BradL/
Succeeded: s/bill/bhill/
Succeeded: i|https a baseline|scribenick: oyiptong
Succeeded: i|dankaminsky: We take out image|scribenick: keiji
Succeeded: i|I have code for you|scribenick: wseltzer
Found ScribeNick: oyiptong
Found ScribeNick: wseltzer
Found ScribeNick: keiji
Inferring Scribes: oyiptong, wseltzer, keiji
Scribes: oyiptong, wseltzer, keiji
ScribeNicks: oyiptong, wseltzer, keiji

WARNING: No "Present: ... " found!
Possibly Present: Andre AshKalb BillScannell BradHill BradIAB BradL BrendanIAB Dutta Saravana Satya alex andremafei betehess betehess_ bhill bhill2 brad_at_trunica ccc chad dankaminksy dankaminsky david davidhumpherys ddd dezell eee gnorcie greg inserted jarrett jinhong jwold jworld keiji khoya mark marktorrance oyiptong reza scribenick scribes sel sjung skjung skjung_ stevez ted tmichalareas wisegirl wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

Agenda: https://www.w3.org/2015/digital-marketing-workshop/agenda.html
Got date from IRC log name: 18 Sep 2015
Guessing minutes URL: http://www.w3.org/2015/09/18-digimarketing-minutes.html
People with action items: