TPAC TPWG Breakout -- 21 Sep 2016

<inserted> scribe: wseltzer

schunter: Background
... we published 2 CRs, TPE and TCS
... TPE: If you're browsing the web, you can tell your browser to send signals about your tracking preference
... that's the easy part
... controversy: if a site receives "I don't want to be tracked," what should they do?
... most sites today do nothing
... status: we're at CR, waiting for implementations and use cases

[slide: TPE]

<rvaneijk> Can someone please send a link to the slides in irc?

schunter: the DNT header and the Tracking Status Object

-> https://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0015/W3C-TPAC-TPWG-Breakout-Intro-v03.pptx Matthias's slides

[slide: User-granted exceptions]

schunter: negotiation, we discussed in the WG that this negotiation can be used in the European context
... for consent to cookies, stored in the browser
... so when I revisit a site, my preferences can be recalled
... site-wide or web-wide excptions
... moneill2_ will tell you a bit about how it works in practice
... vincent_ will talk about regulatory context
... other document, little uptake, is Compliance spec
... that's not interesting
... Implementation uptake: signal is supported in most browsers
... most sites ignore the signal

Demo

moneill2_: edge doesn't have the API, IE did
... I'll show you a test page

https://baycloud.com/dntapi

moneill2_: bouncer lets you grant or block behaviors, expires cookies

https://baycloud.com/bouncerDownload

moneill2_: you can consent, revoke
... this plugin gives transparency as well as user control
... showing you the trackers, letting you consent per-site

schunter: Consent registration is the main point
... saying "please change your mind" to the customer, and recording that consent

<rvaneijk> The Tracking Status Resource (TSR) is an essential element in terms of the mandatory information requirement in the EU legal framework

schunter: to let us move away from cookie banners

Regulatory Context

schunter: Vincent will give us a quick overview of the European regulatory landscape
... initial impetus to the WG came from EU Commission and US FTC, saying please do something
... now their regulations are increasing

Cargill: while this was underway, we had Snowden's PRISM disclosures that took some attention away from consumer tracking
... but consumer regulation might be coming back to attention
... we want approach to be based in science
... this group had a good technical approach.

schunter: it's not an accident that we're aligned with Europe; we were talking about the problem and to regulators

vincent_: current status in EU
... Data Protetion Directive and ePrivacy Directive
... as directives, they must be adapted to 28 countries
... vary. Some countries think cookie IDs is "personal data"
... others "PII"
... different ideas of consent
... e.g. in France, users must interact with web page to consent to cookie being set on browser
... to try to harmonize regulation, art 29 published opinions
... art 29 = group of 28 DPAs in Europe
... differences = why we need a regulation
... May 2016, GDPR. Will be fully applicable May 2018

<rvaneijk> artikel 29 of EU Directive 96/46/EC "establishes" the working group.

vincent_: a Reg, not a Directive, means same text applies in 28 countries

<scribe> ... new: persona data definition includes "online identifiers" indlucing cookie ids

UNKNOWN_SPEAKER: you need consent to collect and process data
... several legal bases, of which consent and "legitimate interests" are most important
... 2009 ePrivacy vs GDPR
... GDPR recital 32

[[(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement ...

scribe: or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a ...
... request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

]]

[highlighted: silence, pre-ticked boxes or inactivity should not therefore constitute consent.

<rvaneijk> REGULATION (EU) 2016/67 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

schunter: under this reg, you need explicit choice; so you have to click the cookie banner each time
... or use technical means

vincent: and right to revoke
... legitimate interest and right to object (art 21)

[[Art 21. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

]]

Cargill: can you object at any time?
... e.g. way down-stream?

vincent: yes

moneill: and it should be erased

vincent: objection might be through automated means

<JoeHallCDT1> dsinger (off-mic): how does the user object?

schunter: if you change DNT:0 to DNT:1 something has to happen

<fwagner> +q

matthias_matthiesen: IAB Europe. If user objects at any time, does that include after processing has commenced, or just before it starts?

Cargill: if halfway through processing, user objects, do you need to retract?

vincent: yes

schunter: there are reasonable limits, but you shoudl be able to withdraw consent

<JoeHallCDT> note that Jonas' sensemaking systems at IBM can redo past inferences once data is removed… not that everyone should go buy that stuff, but that is one technical accomodation to rescinding of processing consent

fwagner: another side condition for consent - ti needs transparent informaiton. without context you cannot give consent.

"machine unlearning"

<JoeHallCDT> :)

schunter: If I revoke consent, at least tracking has to stop

vincent: ePrivacy review
... could result in a directive or regulation
... could rely on DNT. coherent with previous directive
... DPAs support DNT
... could be used to obtain consent, not just object

[slide with lots of text]

[European Data Protection Supervisor; Article 29]

<rvaneijk> Slides Vincent: http://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0016/Slides_DNT-v4.pdf

Discussion

schunter: at least as of 2018, DNT will be useful

<JoeHallCDT> also note that some providers have created pretty neat dynamic tracking code exclusion based on DNT:1: https://lists.w3.org/Archives/Public/public-tracking/2015Oct/0007.html

schunter: what do we do next

fwagner: can you give us an indication whether DNT is compliant with European law

<rvaneijk> Chapter 10 of the GDPR grants the Commission the power to adopt delegated acts (as referred to in Article 12(8) in respect of standardised icons and in Article 43(8) in respect of certification mechanisms).

vincent: I don't know if there's one technical means we can say

schunter: regulators unlikely to say that DNT is only means, but could say DNT is a likely viable solution

fwagner: if I go to DPA and say I intend to use DNT in this way, can I get an answer that I'll be safe?

vincent: that DPAs are pushing for DNT in ePrivacy review is indication that it could comply

<JoeHallCDT> @rvaneijk are you saying that the EC could mandate some sort of machine-readable transmission of data practices? that seems to be a subset of DNT, now, I would think

schunter: DPs operate indpeendently

fwagner: GDPR is one-stop shop principle

aleecia: art29 WP has weighed in formally on prior drafts
... we've gotten 2 rounds of guidance
... I think companies in Europe will be able to get guidance

<rvaneijk> @JoeJallCDT Yes that is possible, but another route may be a decision through the data protection board.

aleecia: In US, DNT is considered as opt-out

<JoeHallCDT> ah, ty, @rvaneijk

aleecia: In Europe, users must consent else they must not be tracked
... W3C documents allow DNT to be viable under European law.

schunter: get companies interested, pilot, evaluate by companies and regulators
... CR would stay CR through implementation experience

dka: I was curious
... good to see regulatory interst; we've also seen companies like Medium that have seen ways to use DNT in their user experience
... is anyone tracking the self-policing? can we provide positive feedback?
... seems fragmented. all the engergy is on blockers.

<JoeHallCDT> FPF maintains a list of DNT respecting sites: https://allaboutdnt.com/companies/

<rvaneijk> https://www.w3.org/wiki/Privacy/TPWG/TPE_Implementation_Report

moneill: there's a page on the wiki ^

schunter: Google had done some anonymizing of users who had DNT set

dka: at Samsung, we have a browser, that currently does not have DNT
... I want to push it back to the engineering team; would like to have the argumentation to do it.

<rvaneijk> Samsung should consider to implement the JavaScript API :)

Cargill: vincent's last slide, there's no explicit reference to self-regulation

<JoeHallCDT> @rvaneijk, meaning that instead of just a dumb DNT:[1,0] setting, they should do the whole thing?

Cargill: "how difficult is it to add this now rather than being penalized for not having"

moneill: quite a few sites in Europe using.

<JoeHallCDT> there some sites that actually block content loading based on DNT:1… not sure those are in the lists

moneill: several thousand sites in Europe

JimBell: seems to me that unless we take some action, we'll end up regulated in some jurisdictions
... suppliers declaration of conformance
... SVOC, VPATS (?)
... probably the only way we're going to avoid regulation

<inserted> scribenick: JoeHallCDT

wseltzer: running down on time for the session...
... helpful to get the state of internal/external affairs
... question to w3c membership:
... what do you want us to do?
... what should be next
... working on a charter extesion so that we can work on what to do next
... we can allow the charter to lapse while maintaining CRs, will return later when we have indications of moving forward next steps to PR and imp. reports, testing usage
... we could re-charter
... under process, we need expression of support, and meet the conditions in the process
... and assure members we have a plan of a path forward
... we know how we are going to get from CR to PR
... Philippe in new role as w3c PM will insist that we have clear deliverables and milestones

schunter: working groups should work
... if we have a plan of what to do and support, we go forward
... if we do not, we will not

dka: what's stopping movement to PR?
... focusing on getting stuff to rec?
... waiting on imps?
... there are a few of them, why wait?
... getting something out there quickly would be much better
... then when the reg. is out, we decide what to do now

schunter: this is my evening job, I have a daytime job
... don't want to just create a document that only sits on a shelf

dka: would point to SVG as an example
... was pushed out, considered dead
... and now is ubiquitous

fwagner: one possible way forward is to do a model implementation
... creating transparency for the users, working with EU regs
... from my perspective, theres [?]

Benedikt: represent Thomson Reuters, aware of GDPR
... DNT is attractive because we can actually talk to regulators about this
... this is something we'd like to stay on the front of
... (vote for re-charter)

aleecia: Dan, we had a call where Jaffe agreed that we had enough imps to move forward
... could promote doc as it is now
... criteria for CR->PR have been fulfilled
... but still not enough
... Jaffe agrees go straight to PR
... agree with that, we'll have a document to work with when a crisis point comes
... if it's still bottled up in committee, it will be harder to get it done
... I see no policy or w3c impediment to putting the PR out there right now

Jaffe: to clarify:
... there are two issues:

<dka> +1 to putting the PR out there.

Jaffe: one is process, one is judgement
... might have said from a formal process view that when we have 2 imps, move forward
... also said there's a judgment call that there needs to be consensus from WG that there needs to be sufficient imp experience
... on the side of servers actually honoring what UAs request, there is work to do

schunter: we can jump through w3c hoops, but it's judgement and energy now
... a WG that consists of only chairs is boring
... can we get support
... e.g., a company saying, we've implemented on a couple hundred sites

dsigner: we could push it out… part of the spec we'd need to remove is the exception calls
... not enough server-side demand for that
... rest could be pushed out

<Zakim> dsinger, you wanted to talk about the API

dka: would be better to get it out there
... then the energy could be put into helping implementers and getting more of them

schunter: tomorrow we have a WG meeting
... important to know who in the room can join us in terms of implementation
... based on who wants to join compliance validation in EU
... we can decide to recharter for 6 months
... what slices of spec to push out when is a secondary consideration

wseltzer: this is not a formal WG meeting
... so can't take decisions, can get a sense of what people want to do
... from w3c Team perspective, want a very clear sense of what we want to do when extending charter

dsinger: don't see a practical difference between rechartering and not

schunter: if you don't have a charter, you don't exist
... to do active experiment studies need a charter

Philippe: difficult for me to judge having just walked in the room
... the charter will need to show that you can be successful

<wseltzer> s/Felipe/Philippe/G

cargill: if we get a reference imp. acceptable to EU regulators, then we have something to go with
... if we get an imp and EU regulators say no, that's failure

schunter: way forward is clear…
... found new people interested in this work
... will take it to the WG and see what folks think about rechartering
... morphs the group from a US marketing group to a EU compliance group
... thanks everyone!
... any other stuff you want to know, ping schunter

- DRAFT -

TPAC TPWG Breakout

21 Sep 2016

Attendees

Contents

Demo

Regulatory Context

Discussion

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output