W3C

– DRAFT –
Tracking Protection Working Group Teleconference

20 March 2017

Meeting Minutes

<mschunter> Any suggestions what 2 topics to promote from "new" to "under discussion"?

<fielding> me too

<mschunter> My webex just ended.

<mschunter> Or crashed

<wileys> Same as Rob - on WebEx but no Host

<Craig> unable to access webx. not accept pw....is the call in number working for anyone?

<walter> present

<walter> as in, about to dial in

<mschunter> https://‌github.com/‌w3c/‌dnt/‌issues/‌13

mschunter: today we discuss issue 13, issue 2

<mschunter> https://‌github.com/‌w3c/‌dnt/‌issues/‌2

mschunter: one conclusion last week, if using JS API about collecting content, should publish in tracking status resource what you actually do
… issue 19, waiting for text
… is Walter on the call?

rob: trying to call in, not there yet

mschunter: is Mike here? (yes) issue 13

<walter> mschunter: I am trying to call in

<walter> does mschunter actually pay attention to IRC?

mikeoneill: similar to promises, DNT asynch and DNT property in JS
… it’s what it was when the session was enabled, it normally doesn’t change,
… if you had an event, if would be more efficient. could have a DNT change event.
… listen for event, do a call back when the event occurs, which is the DNT value either changed or became valid (couldn’t determine header value initially)

mschunter: if you start with DNT:0, you keep it for lifetime of session?

<mschunter> yes

<wileys> You’ll receive a new DNT header with every single page load so I’m not sure where the “lifetime of the session” comes in from that perspective.

mikeoneill: determine it’s valid inside the callback for the event but not be for other times. this is for JS in a library, there could be better implementations from browsers

mikeoneill: no way to amend or vary that property in a reliable fashion, and in many circumstances doesn’t matter, but could. if there’s a DNT change event, in the callback we can confirm the DNT value is valid

mschunter: have JS property, <can’t understand>
… value can be 0 or 1, maybe it changes

mikeoneill: normally doesn’t change

mschunter: JS call for 0 or 1, if someone revokes consent, i call again and get a different value.

[cross talk]

mikeoneill: can do it inside a time out, a set time interval, but the reason we introduced promises is then we have an artificial delay
… if an event, you know it’s changed. it might change from unknown to known the first time.

mschunter: the point is instead of a variable to poll, you get notified if it changes

<mschunter> DNT-updated event in addition to DNT property.

mikeoneill: if you have an event you can pass the property in the callback. I’m not saying to remove the property. Just that the value is valid guarentted inside that callback

fielding: don’t see a need for this. parameter is there for JS to check before it does something. not an event that occurs later in the future.
… doesn’t happen on a running page, with ads waiting for value to change

mikeoneill: iFrame, could happen. ad exchange asking for consent and user gives consent.
… get out of the mindset that it’s client-server. code could be operating within the client
… consent can be initiated by top-level context or an iFrame nested within that context
… DNT value that applies could change

<mschunter> MTS: Only relevant if DNT info if 0/1 is cached elsewhere and needs updating for consistency.

mikeoneill: mobile devices are disconnected, could have a web app still running but different origins with JS code opperating in combination to implement a web application

fielding: app operates fine, trigger a refresh, communicate with other iFrames. having them all look for an event isn’t — cut off

mikeoneill: you could do it that way but why not a general purpose event, or hang off another event like a message event, or a set time out event

fielding: or just check the value!

mikeoneill: might trigger from timeout or message event
… they might not have been triggered, if they want to know then the only way to determine is to have an arbitrary time out

mschunter: we’re talking across each other
… call the value now, and call it again later [sorry missing this ]

[audio poor]

<walter> rvaneijk: you are hard to understand

rvanejik: want to understand. if something is loading you want to check to see if it’s finished, with DNT a session can take a long time.
… user can change consent to another status
… trying to understand if there’s a benefit to using an event listener rather than checking DNT status property. doesn’t it make any difference in costs per round trip?

mikeoneill: could do a time out, check every 500 ms and check the value. problem with that, how long is the time out and it’s just annoying.
… have an event, have a callback, you know it’s valid. it’s just a nicer way to do things. and you can guarentee the value is valid.
… trying to come up with a DNT library to implement the API or something like it if the browser isn’t supported. be able to respond with ad iFrames also respond, and implement even if the API isn’t there. but how do you know when it’s valid or not? that’s what i’m trying to solve.
… can write up the use case. if people liek it we go with it, if not, drop it
… can define the use case more

fielding: with an event, browser needs to know which listeners to notify, complicated

mikeoneill: just your origin

fielding: browser has to track this, could be each iFrame

mikeoneill: it sets the event and knows where DNT was sent

mschunter: seems nice to have, unless wanted we’ll push it out [for the next version]

<rvaneijk> Mike's proposal seems logical to me, i.e., dnthaschanged.eventlistener: function() {} etc.

mikeoneill: agree, just like to say — will write thoughts and get people to read it, make up minds next time.

(fwiw, sounds good to me but for next version)

fielding: other things to deal with
… so ok to wait a week to see text

walter: would be helpful to see it written, give Mike another week

sorry

<fielding> We need to reopen some last call issues that were closed because they would require a change to the API

<walter> didn't quite get the name of the last speaker

<rvaneijk> Welcome MArtin__Telekom !

mschunter: issue 13, pushed one more week

could someone else scribe?

mschunter: introductions please

MArtin_Telekom: [getting a few words only] working with Mike to implement it for — ?

mschunter: Martin is the first round, was Frank, partially taking over.

MArtin_Telekom: well alligned with Frank

mschunter: one goal Martin has is content management [really unclear phone line]

at: eff, work on privacy badger, been following for 6-8 weeks. started work migrating features into privacy badger to make it more compatible with TPE. focused on tracking status resource and the API
… privacy badger checks to see if there’s a hashed version of EFF’s policy at our own well known url
… also check tracking status resource moving forward
… depends on resolution of outsanding questions in the working group
… our devs are working on this and won’t have a prototype for a little while
… will also implement consent API. users can today white list sites they’re visiting. the consent API gives us another way to deal with that, but there are still WG issues open so we’re looking for a clear spec, but we’ve started work
… will report back as we make progress

mschunter: implementors please give feedback and share ideas

at: understand there’s an enthusiasm to lock it down, so is the feedback all that interesting or just an implementation report?

mschunter: depends how serious the comments are. “this feature doesn’t work with that feature” or use cases that need new JS all valuable information about shortcomings. we’d discuss fix v. postpone.
… wouldn’t constrain yourself, but the smaller the change the more likely it gets into the next release. big issues are still useful, we see what we can do

at: right

Bert: Alan and Martin are not official group members, we might make them so

… give me email address, will contact.

<MArtin__Telekom> Martin Kurze (Deutsche telekom), working on DNT

[cross talk]

<MArtin__Telekom>

MArtin_Telekor: will work on joining the dlist

(of note, directions are on the home page for the WG)

for EFF, Cory has to tag Alan

fielding: could we do this another time and have a meeting?

:-)

mschunter: issue 2

walter: what will it take for an alternative compliance that piggybacks on TPE
… as long as the URI is an optional part of the spec, it’s forseeable there will be trouble for alt spec
… we have promises for certain behavior in compliance, and if the promise is an optional flag, then the promise may get ignored or
… would like more info to be manditory about compliance

<rvaneijk> Walter, I think this would work: "compliance": [

… "http://‌wetten.overheid.nl/‌BWBR0009950#Hoofdstuk11_Paragraaf11.1_Artikel11.7a",

… "http://‌wetten.overheid.nl/‌BWBR0011468/‌2016-01-01",

… "https://‌www.w3.org/‌TR/‌tracking-dnt/" }

walter: would like every party to express their understanding of their role, e.g. “I’m a third party"

mschunter: party has to be manditory?
… couldn’t you make the flag mandatory by the compliance to use same party field?

<mikeoneill> +q

<wileys> That would be up to the specific compliance standard the site is using

<wileys> I would think any compliance standard can go above and beyond the TPE on what is and is not mandatory

walter: is it appropriate that some flags are manditory in some compliance contexts?

<mschunter> https://‌github.com/‌w3c/‌dnt/‌issues/‌2

<wileys> A compliance standard would NOT be able to go lower than the TPE

<rvaneijk> Wileys, agreed :)

mschunter: not all compliance specs require all fields, but specific “if EFF, then field 5 is not optional, now required as part of EFF”

mikeoneill: not sure what Walter is asking about, same party array?

walter: several ways together. if for example the URI with the compliance spec is not manditory, how does the UA know which compliance spec is in play?

<rvaneijk> same party could be e.g. "same-party": [

… "natuurlijkehaarkleuring.nl",

… "www.natuurlijkehaarkleuring.nl",

… "natuurlijkehaarkleuring.nl.s3-website.eu-central-1.amazonaws.com",

… "d3789f38w6809i.cloudfront.net"
… ]

<rvaneijk> Which is not the same as a distinction between data controller and processor...

walter: if the same party is not in use, the UA may have a different understanding of roles and causes issues

mikeoneill: so same party array, something the server is declairing?

walter: server doesn’t declare, 1st party contracts to another party to collect user data and only for the 1st party, perfectly fine in EU ePriv regs.
… but the UA doesn’t understand the first party role of the other party, because there is no array being used

mikeoneill: it’s transparency info and the UA isn’t required to look at it anyway

walter: even in the tech spec we say 1st and 3rd parties distinct. but your understanding of your own role is an optional party array

mikeoneill: issue 22 or something?

walter: overlaps

mikeoneill: example of what we want for issue 22?
… discuss that first?
… tell a server if a thrid party or not, seperate issue

<fielding> The UA has no need to to look. The compliance requirement is on the server complying to them, not on the user agent, and might not even apply until long after the communication occurs.

at: under the EFF policy, more info is always better, but in terms of how we work 1st party is held responsible for ensuring compliance of their 3rd parties
… either technically, legally, or by design the 1st party ensures the 3rd parties are in compliance with EFF’s
… not that important to us what the other embedded resources believe their role to be

walter: merge with 22 and carry on from there?

mschunter: would be useful. current TPE distinguishes but if there’s no way to find out 1st or 3rd party that’s potentially dangerous. the other issue is how flexible requiring fields per compliance approach. any compliance approach can make a field mandatory but not make it optional,

request: let’s write that into the spec then…

mschunter: writing use cases is a good idea, thanks for volunteering
… which issues next time for the agenda?
… have 5 open issues we haven’t started, send preferences to M

<mschunter> https://‌github.com/‌w3c/‌dnt/‌issues

mschunter: if no feedback, chair will pick about three

discussion of formatting of docs on github; Roy’s working on it

fielding: we had comments in last call to change to shorter names but MSFT had implemented. will send a proposal to the dlist during the week

mschunter: need a new issue number for that

mikeoneill: just the names or the arch?

<fielding> https://‌www.w3.org/‌2011/‌tracking-protection/‌track/‌issues/‌256

fielding: interface names only.
… if david is able to, maybe there are things we can cull (summarized)

mschunter: do we agree to do this work based on last call comments?

fielding: also changes to promises
… response to issue 256

mschunter: ok, on you to propose updates

fielding: ok

adjourned

Summary of Action Items

Summary of Resolutions

Minutes formatted by Bert Bos's scribe.perl version 2.15 (2017/03/01 16:28:33), a reimplementation of David Booth's scribe.perl. See CVS log.