See also: IRC log
<inserted> scribe: wseltzer
schunter: Background
... we published 2 CRs, TPE and TCS
... TPE: If you're browsing the web, you can tell your browser
to send signals about your tracking preference
... that's the easy part
... controversy: if a site receives "I don't want to be
tracked," what should they do?
... most sites today do nothing
... status: we're at CR, waiting for implementations and use
cases
[slide: TPE]
<rvaneijk> Can someone please send a link to the slides in irc?
schunter: the DNT header and the Tracking Status Object
-> https://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0015/W3C-TPAC-TPWG-Breakout-Intro-v03.pptx Matthias's slides
[slide: User-granted exceptions]
schunter: negotiation, we
discussed in the WG that this negotiation can be used in the
European context
... for consent to cookies, stored in the browser
... so when I revisit a site, my preferences can be
recalled
... site-wide or web-wide excptions
... moneill2_ will tell you a bit about how it works in
practice
... vincent_ will talk about regulatory context
... other document, little uptake, is Compliance spec
... that's not interesting
... Implementation uptake: signal is supported in most
browsers
... most sites ignore the signal
moneill2_: edge doesn't have the
API, IE did
... I'll show you a test page
moneill2_: bouncer lets you grant or block behaviors, expires cookies
https://baycloud.com/bouncerDownload
moneill2_: you can consent,
revoke
... this plugin gives transparency as well as user
control
... showing you the trackers, letting you consent per-site
schunter: Consent registration is
the main point
... saying "please change your mind" to the customer, and
recording that consent
<rvaneijk> The Tracking Status Resource (TSR) is an essential element in terms of the mandatory information requirement in the EU legal framework
schunter: to let us move away from cookie banners
schunter: Vincent will give us a
quick overview of the European regulatory landscape
... initial impetus to the WG came from EU Commission and US
FTC, saying please do something
... now their regulations are increasing
Cargill: while this was underway,
we had Snowden's PRISM disclosures that took some attention
away from consumer tracking
... but consumer regulation might be coming back to
attention
... we want approach to be based in science
... this group had a good technical approach.
schunter: it's not an accident that we're aligned with Europe; we were talking about the problem and to regulators
vincent_: current status in
EU
... Data Protetion Directive and ePrivacy Directive
... as directives, they must be adapted to 28 countries
... vary. Some countries think cookie IDs is "personal
data"
... others "PII"
... different ideas of consent
... e.g. in France, users must interact with web page to
consent to cookie being set on browser
... to try to harmonize regulation, art 29 published
opinions
... art 29 = group of 28 DPAs in Europe
... differences = why we need a regulation
... May 2016, GDPR. Will be fully applicable May 2018
<rvaneijk> artikel 29 of EU Directive 96/46/EC "establishes" the working group.
vincent_: a Reg, not a Directive, means same text applies in 28 countries
<scribe> ... new: persona data definition includes "online identifiers" indlucing cookie ids
UNKNOWN_SPEAKER: you need consent
to collect and process data
... several legal bases, of which consent and "legitimate
interests" are most important
... 2009 ePrivacy vs GDPR
... GDPR recital 32
[[(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement ...
scribe: or conduct which clearly
indicates in this context the data subject's acceptance of the
proposed processing of his or her personal data. Silence,
pre-ticked boxes or inactivity should not therefore constitute
consent. Consent should cover all processing activities carried
out for the same purpose or purposes. When the processing has
multiple purposes, consent should be given for all of them. If
the data subject's consent is to be given following a ...
... request by electronic means, the request must be clear,
concise and not unnecessarily disruptive to the use of the
service for which it is provided.
]]
[highlighted: silence, pre-ticked boxes or inactivity should not therefore constitute consent.
<rvaneijk> REGULATION (EU) 2016/67 http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
schunter: under this reg, you
need explicit choice; so you have to click the cookie banner
each time
... or use technical means
vincent: and right to
revoke
... legitimate interest and right to object (art 21)
[[Art 21. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
]]
Cargill: can you object at any
time?
... e.g. way down-stream?
vincent: yes
moneill: and it should be erased
vincent: objection might be through automated means
<JoeHallCDT1> dsinger (off-mic): how does the user object?
schunter: if you change DNT:0 to DNT:1 something has to happen
<fwagner> +q
matthias_matthiesen: IAB Europe. If user objects at any time, does that include after processing has commenced, or just before it starts?
Cargill: if halfway through processing, user objects, do you need to retract?
vincent: yes
schunter: there are reasonable limits, but you shoudl be able to withdraw consent
<JoeHallCDT> note that Jonas' sensemaking systems at IBM can redo past inferences once data is removed… not that everyone should go buy that stuff, but that is one technical accomodation to rescinding of processing consent
fwagner: another side condition for consent - ti needs transparent informaiton. without context you cannot give consent.
"machine unlearning"
<JoeHallCDT> :)
schunter: If I revoke consent, at least tracking has to stop
vincent: ePrivacy review
... could result in a directive or regulation
... could rely on DNT. coherent with previous directive
... DPAs support DNT
... could be used to obtain consent, not just object
[slide with lots of text]
[European Data Protection Supervisor; Article 29]
<rvaneijk> Slides Vincent: http://lists.w3.org/Archives/Public/public-tracking/2016Sep/att-0016/Slides_DNT-v4.pdf
schunter: at least as of 2018, DNT will be useful
<JoeHallCDT> also note that some providers have created pretty neat dynamic tracking code exclusion based on DNT:1: https://lists.w3.org/Archives/Public/public-tracking/2015Oct/0007.html
schunter: what do we do next
fwagner: can you give us an indication whether DNT is compliant with European law
<rvaneijk> Chapter 10 of the GDPR grants the Commission the power to adopt delegated acts (as referred to in Article 12(8) in respect of standardised icons and in Article 43(8) in respect of certification mechanisms).
vincent: I don't know if there's one technical means we can say
schunter: regulators unlikely to say that DNT is only means, but could say DNT is a likely viable solution
fwagner: if I go to DPA and say I intend to use DNT in this way, can I get an answer that I'll be safe?
vincent: that DPAs are pushing for DNT in ePrivacy review is indication that it could comply
<JoeHallCDT> @rvaneijk are you saying that the EC could mandate some sort of machine-readable transmission of data practices? that seems to be a subset of DNT, now, I would think
schunter: DPs operate indpeendently
fwagner: GDPR is one-stop shop principle
aleecia: art29 WP has weighed in
formally on prior drafts
... we've gotten 2 rounds of guidance
... I think companies in Europe will be able to get
guidance
<rvaneijk> @JoeJallCDT Yes that is possible, but another route may be a decision through the data protection board.
aleecia: In US, DNT is considered as opt-out
<JoeHallCDT> ah, ty, @rvaneijk
aleecia: In Europe, users must
consent else they must not be tracked
... W3C documents allow DNT to be viable under European
law.
schunter: get companies
interested, pilot, evaluate by companies and regulators
... CR would stay CR through implementation experience
dka: I was curious
... good to see regulatory interst; we've also seen companies
like Medium that have seen ways to use DNT in their user
experience
... is anyone tracking the self-policing? can we provide
positive feedback?
... seems fragmented. all the engergy is on blockers.
<JoeHallCDT> FPF maintains a list of DNT respecting sites: https://allaboutdnt.com/companies/
<rvaneijk> https://www.w3.org/wiki/Privacy/TPWG/TPE_Implementation_Report
moneill: there's a page on the wiki ^
schunter: Google had done some anonymizing of users who had DNT set
dka: at Samsung, we have a
browser, that currently does not have DNT
... I want to push it back to the engineering team; would like
to have the argumentation to do it.
<rvaneijk> Samsung should consider to implement the JavaScript API :)
Cargill: vincent's last slide, there's no explicit reference to self-regulation
<JoeHallCDT> @rvaneijk, meaning that instead of just a dumb DNT:[1,0] setting, they should do the whole thing?
Cargill: "how difficult is it to add this now rather than being penalized for not having"
moneill: quite a few sites in Europe using.
<JoeHallCDT> there some sites that actually block content loading based on DNT:1… not sure those are in the lists
moneill: several thousand sites in Europe
JimBell: seems to me that unless
we take some action, we'll end up regulated in some
jurisdictions
... suppliers declaration of conformance
... SVOC, VPATS (?)
... probably the only way we're going to avoid regulation
<inserted> scribenick: JoeHallCDT
wseltzer: running down on time
for the session...
... helpful to get the state of internal/external affairs
... question to w3c membership:
... what do you want us to do?
... what should be next
... working on a charter extesion so that we can work on what
to do next
... we can allow the charter to lapse while maintaining CRs,
will return later when we have indications of moving forward
next steps to PR and imp. reports, testing usage
... we could re-charter
... under process, we need expression of support, and meet the
conditions in the process
... and assure members we have a plan of a path forward
... we know how we are going to get from CR to PR
... Philippe in new role as w3c PM will insist that we have
clear deliverables and milestones
schunter: working groups should
work
... if we have a plan of what to do and support, we go
forward
... if we do not, we will not
dka: what's stopping movement to
PR?
... focusing on getting stuff to rec?
... waiting on imps?
... there are a few of them, why wait?
... getting something out there quickly would be much
better
... then when the reg. is out, we decide what to do now
schunter: this is my evening job,
I have a daytime job
... don't want to just create a document that only sits on a
shelf
dka: would point to SVG as an
example
... was pushed out, considered dead
... and now is ubiquitous
fwagner: one possible way forward
is to do a model implementation
... creating transparency for the users, working with EU
regs
... from my perspective, theres [?]
Benedikt: represent Thomson
Reuters, aware of GDPR
... DNT is attractive because we can actually talk to
regulators about this
... this is something we'd like to stay on the front of
... (vote for re-charter)
aleecia: Dan, we had a call where
Jaffe agreed that we had enough imps to move forward
... could promote doc as it is now
... criteria for CR->PR have been fulfilled
... but still not enough
... Jaffe agrees go straight to PR
... agree with that, we'll have a document to work with when a
crisis point comes
... if it's still bottled up in committee, it will be harder to
get it done
... I see no policy or w3c impediment to putting the PR out
there right now
Jaffe: to clarify:
... there are two issues:
<dka> +1 to putting the PR out there.
Jaffe: one is process, one is
judgement
... might have said from a formal process view that when we
have 2 imps, move forward
... also said there's a judgment call that there needs to be
consensus from WG that there needs to be sufficient imp
experience
... on the side of servers actually honoring what UAs request,
there is work to do
schunter: we can jump through w3c
hoops, but it's judgement and energy now
... a WG that consists of only chairs is boring
... can we get support
... e.g., a company saying, we've implemented on a couple
hundred sites
dsigner: we could push it out…
part of the spec we'd need to remove is the exception
calls
... not enough server-side demand for that
... rest could be pushed out
<Zakim> dsinger, you wanted to talk about the API
dka: would be better to get it
out there
... then the energy could be put into helping implementers and
getting more of them
schunter: tomorrow we have a WG
meeting
... important to know who in the room can join us in terms of
implementation
... based on who wants to join compliance validation in
EU
... we can decide to recharter for 6 months
... what slices of spec to push out when is a secondary
consideration
wseltzer: this is not a formal WG
meeting
... so can't take decisions, can get a sense of what people
want to do
... from w3c Team perspective, want a very clear sense of what
we want to do when extending charter
dsinger: don't see a practical difference between rechartering and not
schunter: if you don't have a
charter, you don't exist
... to do active experiment studies need a charter
Philippe: difficult for me to
judge having just walked in the room
... the charter will need to show that you can be
successful
<wseltzer> s/Felipe/Philippe/G
cargill: if we get a reference
imp. acceptable to EU regulators, then we have something to go
with
... if we get an imp and EU regulators say no, that's
failure
schunter: way forward is
clear…
... found new people interested in this work
... will take it to the WG and see what folks think about
rechartering
... morphs the group from a US marketing group to a EU
compliance group
... thanks everyone!
... any other stuff you want to know, ping schunter
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/ilence/silence/ Succeeded: s/ti/it/ Succeeded: s/principel/principle/ Succeeded: s/enchilada/thing/ Succeeded: s/Felipe/Philippe/ Succeeded: i/wseltzer: running/scribenick: JoeHallCDT Succeeded: s/???/Benedikt/ Succeeded: s/RT/Thomson Reuters/ FAILED: s/Felipe/Philippe/G Succeeded: s/Fellipe/Philippe/G Succeeded: i/schunter: Background/scribe: wseltzer Found Scribe: wseltzer Inferring ScribeNick: wseltzer WARNING: No scribe lines found matching previous ScribeNick pattern: <JoeHallCDT> ... Found ScribeNick: JoeHallCDT ScribeNicks: JoeHallCDT, wseltzer Present: aleecia matthias_matthiesen nataliia_bielova rvaneijk wseltzer barryleiba dsinger moneill2_ dka cargill Axel frankwagner francois JimBell JoeHallCDT mkwest jeff DanDruta marta Benedikt Chad Frode Glenn Got date from IRC log name: 21 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/21-dnt-minutes.html People with action items:[End of scribe.perl diagnostic output]