Tracking Protection Working Group Teleconference

03 Apr 2017

See also: IRC log


fielding, MikeONeill, schunter, vincent, rob, walter, hadleybeeman, adrianba, at, van, Eijk


Regulatory point: Minimum set of information that needs to be presented from data controller to user.

Scenarios: 1. Out of band; 2. Publisher collects consent for itsefl and others (=known third parties); 3. Real-time ad-bidding (=potentially unknown third parties)

Scenario 3 requires to push information in real-time (since the information is not known before bidding).

<fielding> Today's agenda: https://lists.w3.org/Archives/Public/public-tracking/2017Mar/0039.html

Information: Identity of data controller; Purpose of collection; Retention

+ potentially information how to revoke consent (may be via API or elsewhere)

<fielding> The subrequests to specific domains on a page are known by the UA, including domains that are selected within auction frames that are unknown to the site. What is not known would be third parties that might receive data via the sites invoked.

<fielding> The feedback we received from the web applications folks is that the additional string information is a common security anti-pattern that serves only to obfuscate the actual sources.

Use case: Online ad auction with unknown parties (apriori)

- Question: What is the minimal information required (by GDPR) that those guys need to convey to the user

<fielding> The only way that on-demand bidding works with privacy is to restrict data use (purpose) to a set of standard identified uses and have the user pre-allow a set of such uses for all bidders adhering to that standard. Identifying each and every party in advance of each consent decision will not work for bidding.

- Question: Is there anythig else that the browser (or badger) need to decide whether to call or block the resource.

- Question: Under what conditions would the browser send DNT;0 (instead of DNT;1)

Important: Bidders who do not win must not retain the data. (by contract)

Our focus are the bidders that have won.

<fielding> Next meeting, we need to have a discussion of security problems with existin API and https://w3ctag.github.io/security-questionnaire/

<fielding> trackbot, end meeting

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/04/03 17:12:20 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Default Present: fielding, MikeONeill, schunter, vincent, rob, walter, hadleybeeman, adrianba, at, van, Eijk
Present: fielding MikeONeill schunter vincent rob walter hadleybeeman adrianba at van Eijk
No ScribeNick specified.  Guessing ScribeNick: schunter
Inferring Scribes: schunter

WARNING: No "Topic:" lines found.

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Found Date: 03 Apr 2017
Guessing minutes URL: http://www.w3.org/2017/04/03-dnt-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]