<ParLannero_> Scary permissions! Great topic.
<npdoty> scribenick: npdoty
[introductions of reps from Chrome, Brave, Apple, Mozilla]
standardizing permissions models vs. leaving it up to each browser?
jnovak: how can we tie a
permission to a user event; what is the value of an asset and
how long should permission last
... iOS and MacOS have different UI with different
affordances
... standards shouldn't overspecify UI
Thomas: don't prescribe how to
actually implement or when to show them, a good amount of
leeway
... would love for browsers to be aligned in their behavior,
when prompting changes
... standardization so that developers have something to build
against -- a balance
... leaning more towards browser being able to change in
response to ecosystem
Diane: for immersive web,
permissions have different weight with the physicality of the
experience
... the way that it's presented to you can really impact what
you do
... asking for access to all files on a device, while floating
in space above a giant grid
[terrifying]
Diane: don't want to overspecify, but need a starting point so that people who are using know where to go to look for permissions and for the interface to be comfortable
tomlowenthal: difficult problem
in establishing informed, affirmative consent for
powerful/invasive practices, while wanting to be respectful of
attention/focus
... responsibility of the browser to be an agent and a
steward
... present questions that they can reasonably decide about,
and only when a decision is necessary
... use clear signals from the user and mediate as the agent on
their behalf
... a Web experience that is safe, respectful of consent and
attention
... different models of consent, but current model is only
okay, drawing a hard line around certain things
... responsibility to experiment
Thomas: +1
jnovak: are we asking users enough questions? in reviewing specifications when we note fingerprinting risks, should we ask the user?
gmandyam: other third-party
interactions, including hardware/platform providers (like my
employer)
... browser would need to handle discovery of local
services
... for example, a network service discovery API that was
proposed, but it was too hard to allow arbitrary access to
local network devices
... at least need browsers to communicate to hardware vendors
and others: what are the minimum criteria needed for these
services to be discoverable?
... just having that out there on paper would help us
<wseltzer> gmandyam: "what is the minimum set of requirements that browsers would require of 3d party hardware to make their services discoverable to the user?"
Thomas: yes, as browsers need to
communicate to various vendors. not sure if it needs to be
standardized
... browser wants to add a capability, then they should discuss
with other browsers to see if others are interested
<Zakim> robin, you wanted to talk about a baseline for permissions rather than specific UI
robin: don't need complex
standards work, but need some documented/public -- like Notes
at W3C or similar
... so that people not in the room yet, future browser vendors,
etc.
tomlowenthal: a non-standard
ledger, a collective register of what changes are being made
where everyone can get to it (as opposed to silo'd
changelogs)
... have a log of changes which are going to be made
hober: the Interventions document is a similar list
Thomas: Chrome has an Intent to Implement
robin: but maybe it would be
useful to have a place that has it from all the browsers
... has been done specifically around Service Workers
tomlowenthal: index by feature or date, rather than going to each browser's notes individually
robin: whether UI should be
standardized is an old discussion which we won't see new
resolution on
... but, what about a baseline of browser behavior, where
browsers can do more but not less
... we all agree that this is the baseline regarding privacy
and data protection and security on the Web
jnovak: legal requirements that any agent will have to offer, so might basically need to standardize?
Thomas: a minimum standard might
just be what the standards process is
... while it might be nice, I don't think permissions requires
a common set for privacy and security
robin: a uniform baseline so that we can trust the security and privacy of the browser
tomlowenthal: would like that, but would have to include identifiers/fingerprinting, and not sure if that would require prohibiting adding new features
Diane: experimentation is very important for new browsers, wouldn't want a baseline to prevent collection of data on something new
wbaker: experiences required to
portray in front of the user, browsers should own that and take
every active step to do it, and if browsers don't then others
will do that for you
... building consent managers will be difficult, the
countervailing strategies from browser vendors prevent
publishers from building the experiences that they are required
by law to build
hta: the way sites interact with
the browser must be standardized (ways to query, etc.)
... Permissions API heading in the right direction. shouldn't
standardize user interface
... may need Best Practice documents that can be used to
persuade browsers, to enable legal compliance
... need test interfaces for all the permutations of
permissions, what happens if the user grants one permission or
withdraws another one
... API must be standardized and testing must be available, UI
guidance but not standards
aleecia: building consent
management into the browser rather than leaving it to
publishers/other parties
... for GDPR to be implemented in practice, browsers have to
take on consent management
bradkulick: heard multiple cases
of users not being able to manage their data, but users don't
understand the long/detailed statements
... these are all valid, if in tension
... we need to find some consistency somewhere, and within the
browser would be a good spot
weiler: permissions for features and permissions for data -- should we distinguish those
jnovak: no clear separation, some features (geolocation) also produce data
Thomas: notifications is a good
example of a feature that doesn't necessarily implicate user
data
... legitimate sites that want capabilities that come with
data, and they can be good or bad data
ParLannero_: hearing a suggestion
that we have a permission interface in the browser, it might be
difficult
... the browser could delegate the permission interface to a
third party?
<wseltzer> T[homas|om]: No
Thomas: would be hesitant to put
in a third party's hands
... would be hesitant putting in a third party's hands
... would be hesitant putting in a third party
tomlowenthal: the permissions
interface is currently a niche feature, but like the
direction
... but concerned about respect for people's time and
attention
... a UX challenge for browsers
bobby: contrast with password managers, a somewhat successful areas, what is the utility of a password manager and could we extend that to permissions?
tomlowenthal: a good data breach
dashboard, where you can go to see what has been lost
... could have automatically logging what data has been sent to
which site, a tool that is easy to use and mostly
automated
... lots of engineering work has gone into existing password
managers, most browsers have less implementation than dedicated
software
... could be a template for what we want to do in terms of
managing permissions, it appears only when needed
... doesn't need to be standardized, but could collaborate
Diane: scared by collecting all the data I've sent to all websites in one place
<weiler> +1 to Tom
[recalls that "consent receipts" were proposed for this functionality]
Diane: yay for password managers, but easier to change password than other data about myself
<ryo-k> also +1 to Tom
tdrake: a list of the sites that might have collected data about my physical space
Thomas: interesting, but it would be hard for a browser to do that
Diane: the data collected could be about anywhere
Thomas: it would be nice if we could do more in standards, but as there's still lots of experimentation, leaving decisions up to browser and having active communications from/between browsers
tomlowenthal: want both certainty and improvement, trying things out but also being clear about what we're trying
jnovak: there are exogenous things that may force us
[what's a third party and delegation of software decisions]
<wseltzer> weiler: breakouts
<wseltzer> ... Designate someone other than the leader to take notes and report back
<wseltzer> ... 2: XR (Nell), and Changes in the Environment (Aleecia)
<wseltzer> ... Please scribe
<wseltzer> ... #permissions2 will be XR in the other room
<wseltzer> ... return here at 10:45
<ParLannero_> I will need to logout soon. Thanks for setting up the webex meeting!
<inserted> scribenick: bradkulick
aleecia: DNT started 6-7 yrs ago
on
... not as much on consumer side. then iot has helped to get us
here
... env changed and here we are
... here are 8 thots on changes:
... 1 better priv reporting in journalism
... seeing new financial models, but they are payment for no
ads
... ad blocking is wway up
... thot to be niche at first
... ad blocking way up
... adv panic
... dnt was meant to be a way to avoid ad blocking
... when do ad blocking, they dont come back
... on consumers side -- equifax and Cam analytics were big
news
... 80% polling for ccpa would like to be able to opt-out of
data collection
... other changes:
... snowden
... tech stack is all vuln
... privacy issues intermingled with security issues
... NSA wants to keep these security toys, which are also
privacy concerns
... another related piece.. San Bernadino
... govt lost in the press
... this is back for the aussies
... backdoors everywhere unless working with a bank
... using enc is assymtpion of guilt
martin (who didnt state his name for the scribe): this is not how i see it
scribe: legal status of requests
ambigious
... interesting part of the biz collaboration with govt
aleecia: oath has serious data breaches, but thru lawful intercept (didn't capture all)
martin (who didnt state his name AGAIN for the scribe): the intent was not to break enc and part of supp info to the bills
scribe: not appropriate to characterize as breaking enc
aleecia: thank you martin for the
info
... will be interesting to see how it plays out
... last piece
... learning from brexit, trump, seeing data targeting social
unrest
... fate of western democracy gets hinged in part on what
happens in this room
... people asking FB, G, etc to do better
... do we care, do perms matter
... does this change what we do with perms
wendell: in 2011 and 2012 w3c had
conferences on some of this
... lot of issues that drtive ad blocking and DNT... it would
be good it web standards supports some things to allow
this
... for example something to elimate need for cookie
syncing
... analytics -- there is no understandinf of how analytics
works
... a lot of these things need to be build on top of the web
platorm
... find a way to use narrow use cases to allow them
<mt_____> for wbaker: https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon
wendell: bizs can be clear what
they need to run
... what is diff is when things are changing
serge: i've study these... these
are honest apps...
... on android platform, where there isnt enforcement. we are
finding 75% sending with other identifiers
<serge> *dishonest* apps
serge: ad actors are behaving
sam: what is the impact on ads when 40% say no
wendell: not clear, but will impact the companies and people will be out of jobs
sam: i believe they will work around it
<serge> People were out of jobs when asbestos became illegal
wendell: i believe you are right. biz will try to protect their bizs
<serge> That's not really society's problem.
<serge> Companies don't have an inalienable right to profit by any means necessary.
wendell: but many other players wont be acting in these bad ways
jason: biz models built on platform and now should make changes to continue to allow... is thi syour arguement
wendell: yes, but add contrainted changes, not everything
jason: fundemental question: lots
of tech used in unforseen ways and some are priv invasive in
unexpected ways, remember platform also need to think about
protecting users.
... i understand the ask for webid for the web
... i would say why not just do contextual ads
wendell: respond to contextul
ads
... selling media requires how much you sold
... serverside counting was first used
... it was good in the beginning of web
... still need to be able to measure
jason: i hear your arg as need to
sustain current biz models
... biz models need to adapt
<Zakim> robin, you wanted to speak to a reliable ad stack to bypass cookies entirely
<serge> Food companies would make a lot more revenue if there weren't regulations concerning the amount of rat feces that can appear in their products.
Robin (who also didnt announce his name for the scribe): there are other solutions
scribe: web platform has js to
handle, but the way it is done is a hack ontop of a hack
... fraud is a huge problem
... and adds 20%
... adding ID is not the answer since they will be abused
... maybe alts would be browser vendors, signatures
... signing viewability requests
... prob is real, we should help the ad ecosystem work
better
aleecia: thanks for being
polite
... how do we do it better
... gone from internet should be anon to how we can track and
make better
<tomlowenthal> +q
aleecia: conflating internet with
the web... thats another problem...
... what the point, who is it for, what is it for?
<tomlowenthal> +q to point out that nobody wants to be tracked, and ads don't even need tracking
sam: tv ads did using tthe tracking that is being asked
martin: and it was terrible
aleecia: in fairness, the
financial model was diff
... i get basic point, but they are diff
tom: nobody wants to be
tracked
... at all
<Zakim> tomlowenthal, you wanted to point out that nobody wants to be tracked, and ads don't even need tracking
tom: in Eurpoe, trakcing w/o
consent is harmful
... b/c it has been built into the mobile model is not a reason
to do it elsewhere
... you dont need to tracking people to do good ads
... do the moral thing and the right thing
<serge> The ad ID *doesn't* work. Period.
jason: point about ad id in
mobile and have for web.... there are alot of things that might
not be okay about it to put it on the web
... it's a complex prob.
... we can look at things
Frauke: i am not sure if its true that people dont want to see if they need to pay
tom: u dont need to track to see
good ads
... you shoud always have option to pay to not see ads
???: wondering if you could point me to data research
scribe: your point is about def of tracking
tom: my def of tracking is someone else know about multiple events about me
aleecia: i can provide some
research
... bunch of changes
<inserted> scribenick: wseltzer
bobby: The Digital Standard,
https://github.com/TheDigitalStandard/TheDigitalStandard
... examples of insufficient disclosures, e.g. ACR (automated
content recognition) on smart TVs; a fertility-tracking
app
... chart ranking peer-to-peer payment services
... https://twitter.com/darkpatterns
... Deceived by Design
<mt_____> https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf
<serge> This is highly relevant: https://medium.com/@eshan/the-rise-of-the-ux-torturer-7fba47ba6f22
<mt_____> also: https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/
serge: a dark pattern in Office: "Yes" and "Not now" buttons.
robin: have you considered building ranking for browsers?
<mt_____> I got hit by the above: I had to use Chrome because hangouts doesn't work in other browsers; hangouts require login; that meant I was logged in to Chrome = fail
<serge> https://twitter.com/v0max/status/997291608449126400
<serge> my mistake: it's "Accept" and "Learn More"
bobby: yes, and it's complex to do and to keep updated
mt_____: for the rankings, there's additional text available to explain the categories
bobby: prompts for discussion:
examples of exemplary behavior?
... Can we have have standardized permissions for other user
activity?
ted: at what point on a grid do you say "we don't recommend using this application?"
bobby: if there were a real
security problem, we'd indicate that and say don't use
... pushing companies to connect their privacy policies to
product features/capabilities
serge: we're planning to offer an API to our data (on privacy and security flaws in apps)
Frauke: right now you don't have consumer perception in the mix?
bobby: I'd like to get more data on consumers' perception
<christine_utz> Are the tracks synced in some way? I'm worried about missing the Vocabularies session
bobby: we have a national panel surveying individuals
Frauke: are those surveys public?
bobby: no, those are private
https://www.consumerreports.org/digital-payments/mobile-p2p-payment-services-review/
[session switch]
This room will be API designs and consistency
https://www.w3.org/TR/permissions/
<inserted> scribenick: moneill
nick: permissions api - requests or revoke
nic: martin: also restrict()
<wseltzer> https://wicg.github.io/feature-policy/
nick: also talk about FP, CSP, Origin Manifest
martin: mozilla impleenting feature policy
nick: many apis have their own permissions api
<wseltzer> moneill: missing from Permissions API is ability for requester to ask why they want the permission, and for that to get recorded
moneill: discuss extra info passed accross from origin about purpose etc.
martin: when prompt come, promise does not resolve, yest till doorhanger eventually appears
thomas: browsers should mediate when doorhanger appear
tom: discussion about browser mediation and promise resolution
nell: getting into the weeds on particular use of API
martin: restrict() : csp is a
disaster , FP is bastard step child,
... like that top level context has authority
... javascript replaces FP headers
jason: you have add strings to camera access permission api in iOS
nell: visal cues to sy text comes
from site rather browser
... its too easy to be paralised into inaction
... more user research - weve hit a wall history is topping us
move forward
thomas: user study organised thru W3C would be good.
wendy: could be pING that organises those kind of studies.
nell: is there prior history?
wendy: not aware, not directly
nell: is there is existing research, then decide if further could be done thru W3C
jason: ping maybe not the place to start this
nick: this is mpossibly more than privacy
thomas: Google Chrome already has lot of data
martin: nenough of mozilla data
public
... telemetry is public
nell: we should be aware of whta this means before we start. big opportunity for this group to initiate this
tom: what im hearing: we need
data so we can make decisions, weve hit an emprical question,
lets get data from browsers if its there, then decide then -
its a process
... mabe valuable to have a 1 or 2 day workshop to start of
this activity
thomas: hear hear
nell: we have a real opportunity to get answers
wendy: discuss all this at TPAC
<wseltzer> [lunch]
<tomlowenthal> Perhaps, if a WG needs an empirical answer on a question to proceed, they could track that question in the form of their usual issue-tracking, hand that question over to the get-an-answer-to-an-empirical-question process, and then get back an answer before proceeding. Perhaps we could have a workshop on empirical research?
<inserted> scribenick: jnovak
Christine Utz: Did measurements of the top 500 websites in each EU member state and looked to see what happened because of GDPR. Looked at privacy policies and cookie notices.
scribe: Learned about GDPR
yesterday and today.
... Six legal basis: consent is one
... consent needs to be freely given
... some transparency requirements about what consent is given
for
... consent needs to be recorded in some way
<mt_____> c.f. https://en.wikipedia.org/wiki/Hobson's_choice
scribe: and individual needs to
be able to withdraw consent at any time
... Core findings of study is that there is an increase
everywhere in privacy policies and consent notifications
Christine Utz: six types of notifications for consent: No option, confirmation only, binary, check boxes, slider, IAB vendor selection
<ParLannero> Hi, I'm still with you from Europe. Thanks for keeping the Webex open. :)
scribe: in the checkbox model
there's usually one checkbox that is deemed "necessary" and
cannot be unchecked
... slider is also category based
... IAB vendor selection dialog seen earlier in Jo's talk
... display of distribution by type, with 50% having no
banner
... second most is no option
... Problems: nothing presents websites from deeming all
cookies as strictly necessary; need to implement the setting of
cookies or not as strictly necessary.
... GDPR requires withdraw of consent but difficult to
implement this especially if a third party cookie because can
code the website a way that the cookies only set after user
consent but because of SOP cannot delete the cookie
... As soon as you try to withdraw consent for a third party,
get message that you can't and an opt-out link
... this was the only opt out library that did this; most just
failed silently
... there's also too much consent notifications
... Next steps: usability study of consent notifications, until
this everyone wants a browser based solution
... possibly a matrix based approach?
Mike O'Neill: Regarding third party cookies, can set them using external tag management systems, but, can't get rid of the cookie, but can make sure that the third party cookie doesn't load again.
<wseltzer> https://github.com/gorhill/uMatrix/wiki
<wseltzer> https://arxiv.org/abs/1808.05096
Wendell: Some color into the
world of a big publishing site.
... all of this is the result of process at my shop
... a lawyer (probably) comes and says you will offer these
sorts of opt-in and opt-out functionality to consumers, make it
so.
... the lawyers go off and refine the legal understanding
... at least two, maybe three interpretations of stances the
company and industry would take
... initially a strict consent requirement
... then a legitimate interest basis with silos for some data
that requires additional scrutiny and thus consent (e.g.
geolocation)
... out of all of this there is a set of publishers, people who
operate websites, who legal says liability flows from them to
rest of adtech ecosystem
<christine_utz> Here's the link to our paper: http://arxiv.org/abs/1808.05096
Wendell: publishers had a choice:
they could get the browsers to provide the relevant legal
assurance that the correct solicitations were made and the
material basis was provided and could be passed along down the
line or the publishers would have to go provide own
experience.
... decision was made for variety of reasons that the browsers
would do this
... the purpose of the discussion today is to formulate
problems today to see how much browsers could update and
join
... and put into chrome
... proposal via W3C was a separate cookie jar with provenance
supplied via a header.
... web representation of that standard still out there
... none of the browsers went out to implement that
... in a bizarre state where regulators and legislators
maneuvering faster than the industry
... may get a new law or a legal decision against publishers
that may result in the publishers wanted to delegate to the
browsers.
<tomlowenthal> +q
Wendell: other point to point out is that it could be produced by the browsers but, today, browser's tracking protection features are blocking cookies for consent because the consent walls are third party cookies
+q
tomlowenthal: would like to understand what, if anything, browsers should build
moneill: Consent UI and
enforcement
... what actually does happen
tomlowenthal: Still don't know
what the mechanism that is desired here
... can you draw what it might look like for some hypothetical
browser?
... Don't know what the actual feature looks like
... heard the term 'consent manager' or 'offload to
browsers'
Wendell: I should be able to do go point you to wireframes, but don't have them handy, will whiteboard it.
slides 16-18
wendell: see a series of screens
depending on the set of relationships
... DPCs have said they want 25 screens
... last screen is that if you have relationships with other
service providers, way that GDPR is written is that if you do
business and flow data with co-controllers, have to solicit
consent for the co-controllers so data can be shared with them.
this is different from the processor model.
tomlowenthal: If the last screen is people that a consumer has never heard of, why would they ever say yes?
wendell: Good question
tomlowenthal: If no one ever says yes, why ask the question? Why not automatically say no
wendell: One of the things you
are not allowed to do here is to pre-populate checkboxes
because free and informed consent. Maybe order the list and
have names recognized at the top? It is possible by legal
interpretation to have "yes check here and allow all". That is
a legal interpretation, may change. A substantial number may
change.
... on first party site do see people check it
moneill: have found a roughly 50/50 split, depends on the number of buttons
tomlowenthal: I create an
elaborate API, site calls it and asks for all the permissions.
browser parses this and has the opportunity to present UI to
user, perhaps the user has made decisions already (e.g. never
consent to anything), browser fills out in part with user
decisions.
... a user who downloads brave will make the indication they
never will allow for tracking.
... API is called
... website gets answer No
... If DNT is any indicator, should ask question using the
webpage not the browser API
wendell: Don't follow
... the "not using the browser" piece
tomlowenthal: If you reasonably expect that probably going to get answer no from the browser all the time, why use the browser API, why not ask user?
wendell: Only thing that matters
is if you got more business done, so, if get no business from
browser, why use the browser just use the webpage one
instead.
... get business done = experience product and make money
tomlowenthal: Are you suggesting their goal is not to have consent UI in front of users or to get as many yeses as possible
wendell: Want to have as many
happy people experience work as possible.
... there's a set of experiences in the way mandated by someone
else, so an interest not to do so
tomlowenthal: They're
conditionally mandated: need to get consent only for the things
that are requiring consent
... regardless or not if (legal interpretation that is it is
always necessary to get consent even for not-adtech)
... then, isn't there is a time where the No users have any use
to you
wendell: Know that there are
users who have always said no to tracking in a variety of ways.
There is a discussion as to whether or not some controls
against tracking are legitimate or not. Perspective is that
things built into browser are 'legitimate'
... if it is not in there by the consumer or agents of consumer
to circumvent the publisher's legal requirements.
tomlowenthal: if the ad block is in the browser is that okay under this architecture?
wendell: Yes
tomlowenthal: So ship an API that accepts JSON to display, browser always responds no.
teddrake: Brave is a corner case
tomlowenthal: If it works for always answering No, then, works for every other case
wendell: I thought there was a choice?
tomlowenthal: Yes, teh download page says "Block all ads"
Robin: Interest in implementing
browser is to prevent dark patterns from emerging
... I would want browser default answer to be always No
... expect to be relatively synchronous so always
responds
... expect to be not in the way dialog
Wendell: If browsers create this,
and tom's proposal holds of out of browser UI says that you are
blocking all tracking
... or not consenting to any tracking
... Is there a way to ever turn that on?
tomlowenthal: Yes, Brave has an
oft-unused button to disable ad blocking
... it is a second tier shield setting
... if we build this can build a box that says do not consent
to tracking on sites
moniell: needs to be a per site setting
wendell: Would be hard pressed to say that the proposed feature above is not a factory build in thing
<wseltzer> jnovak: if a browser today set DNT to Do Not Track, why wouldn't industry take that as a signal?
<wseltzer> ... if browser asks on first launch, do you want to allow all tracking, no tracking, or site-by-site?
<wseltzer> jnovak: DNT had the agreement not to ask on first launch
<wseltzer> ... has the industry moved to willingness to accept ask on first launch?
<wseltzer> wendell: after 6 years, I believe yes
<wseltzer> ... I think there's appetite for re-evaluating
<wseltzer> ... IAB TCF: transparency and consent framework
<christine_utz> +q
https://iabtechlab.com/standards/gdpr-transparency-and-consent-framework/
<wseltzer> ... if browser were to solicit these dialogs, and those prefs were communicated, we might be able to remove roadblocks
thanks for scribing wendy!
gmandyam: First time I See Brave UA, why don't I pop somethign up blocking the user from the content
tomlowenthal: User will never see that if using brave
gmandyam: API dialog not that practical as if the browser is not going to give consent, they'll pick it up on the request
tomlowenthal: Then back int he
regular world of showing dialog and content
... doing inconvenience blocking but doing it on the scconardy
dialog
Wendell: One of the tenants is
that if the user doesn't consent, not allowed to degrade the
experience.
... difficult to defend if you block a specific browser
gmandyam: When I thin of the
mobile web, look at the UA to tailor the user experience
... service providers could fall back to that
wendell: adopted that.
... consent is the strongest of these but most brittle
... there's a middle level that amounts to a paywall
... beginning to see that sort of stuff
... countermeasures is unambiguously over the line
robin and tom: there's a discussion about the fact that California can require payment; the WP29 interpretation is similar now
christine_utz: suggesting moving web app UI to browser chrome?
wendell: Yes
... there's a declared list
christine_utz: don't agree with
IAB
... need any third party into dialog, would become any
longer
... already unusable for large number of vendors
wendell: Yes. Imagine that the
industry dynamic would be to consolidate players into fewer
companies that own all the media and solicit fewer of
these
... part of the problem is that the list is 300+ now, that
doesn't entail the content providers.
... there's an industry evolution here and there may be only so
much mindshare that consumers can tolerate in the list
harald: trying to imagine embedding a list of vendors in standard and not being anti-competitive
wendell: there's already a set of machine to machine calls at well known URLs
Harald: proposal a solution that requires a service provider?
robin: could imagine a non-IAB
registrar
... could ICANN-esque
wendell: Could be like robots.txt
and hang it off the top of the domain
... alternatively, like ads.txt -- who are the people who can
advertise on my media
... there's a crawling mechanism to check ads.txt
... all of those are more or less in place, already run by a
trade group, a push to remove from that trade group and move it
elsewhere.
... if we did this through a standards space, would want to
delegate this back through the web server itself
harald: so the format of that document would be part of the standard but the content would not be?
wendell: yes. thinking on the
fly, but what's in that document: purposes (currently 24 and ~5
are defined); vendors (names legal entities in a country)
... BBC has to be in the list somewhere and make sure there's
only one entry for them unambiguously and that's what you need
a registrar for
moneill: DNT header was a signal to a domain. Whether or not that server did anything with it is a legal issue. One of the problems with the IAB vendor list is that it is a list of numbers with company names and there's no mapping to domains.
Wendell: there's a privacy policy url that you are required to fill out
moneill: there's not an entry per
domain -- doubleclick.net is not clearly associated with
Googl
... Google
Wendell: The names of companies are weird because have LLCs etc.
moneill: Today, go to site, get a
domain -- don't get a name there.
... DNT required a set of additional URLS and well-known
locations
<christine_utz> We're going to continue doing research about improving consent notifications (as long as there's no browser-based solution), so if you have some ideas for that, I'd love to chat offline.
<wseltzer> https://github.com/w3c/permissions-ws-2018/blob/master/storageaccesspermission.md
<inserted> scribenick: npdoty
directive has been law, but regulations are still in progress in different jurisdictions [?]
moneill suggesting that browser can resolve the legal requirements (on publishers?) on consent for local device storage beyond some exemptions
jnovak: sites seem to be asking for browsers to handle the consent management chrome for a set of permissions that they are required to get
mt_____: hypothetically, mediate consent prompting through the browser, and always-reject
moneill: sites might ask for
cross-domain persistent state for some particular purpose
... that users might agree to
mt_____: cookie-syncing -- if the first-party wants to pass the information along, they can, and can't be stopped
moneill: but there are legal constraints on that -- other people worry about that
robin: if we can make it so that circumvention is a clear legal violation, that might help
gmandyam: if I were trying to share localstorage across origins, I would send it across with webmessage
[but that would be detectable]
[wait, IndexedDB is origin-scoped, right?]
moneill: let's worry about the stuff that is detectable, and let others worry about those other cases
<gmandyam> To npdoty: IndexedDB is origin-scoped, but Web Messaging allows cross-domain info exchange in the context of the user agent
jnovak: how to detect and block third-party cookies is an ongoing implementation
moneill proposal text: https://github.com/w3c/permissions-ws-2018/blob/master/storageaccesspermission.md
can be discussed in wicg going forward
<ParLannero> great! Where do I find wicg?
swapping first/third-party cookie jars (in Safari), or copying a cookie from a first-party jar into the third-party jar
<wseltzer> ParLannero, https://github.com/wicg
<ParLannero> Thanks!
first parties being able to prompt for embedded third parties
npdoty: don't currently have the functionality where a first party can specify that its third parties shouldn't have access to cookies (or only double-keyed cookies)
jnovak: why embed the third-party content?
lots of web functionality for embedding third party content
robin: publishers often want to embed advertising with some functionality but with some limits
https://github.com/whatwg/html/issues/3338
<jnovak> https://webkit.org/blog/8124/introducing-storage-access-api/
<jnovak> https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
(links describe current functionality and proposals regarding Storage Access API)
<ParLannero> wseltzer, who was presenting the EU cookie regulation?
<ParLannero> Need to leave. Thanks for having me. I hope there's a followup meeting soon - and the next time I will try to join on venue.
<hta> scribenick: hta
Summarizing the breakouts.
sam: scary permissions - 3 things
stood out.
... engagement as a metric. May be dangerous.
... installation ceremony as a trust indicator. Webstore
presumably blessed.
... 3rd point: should we be doing these things at all? (scary
caps) - not sure where to have that discussion
mt: summary from changes that
have happend 7-8 years
... not much more came out concretely from that session
diane: XR takeaways
... XR is great
... 1) fingerprinting, 2) prior art of what to do and not to
do, 3) immersive mode and why it's terrifying
... immersive mode is like fullscreen but more so. AR-lite is a
mode where the page doesn't get that much world info.
... hit-testing can become world map if you do enough of it,
which negates the restriction
... how can we move between inline mode and immersive
mode?
... conclusion: VR/AR/XR are awesome, people should work on it,
and people should make it good
... followup: schedule a couple of hours VC to follow up a few
specific points
... WG will also meet at TPAC
consumer reports session: no reporter
wendy: great presentation on CR
dashboards rating mobile payments apps
... please consider how this can be applied to other products
(browsers!)
... proposal: CR may rate browsers on privacy. Some part of
this could be automated in WPT.
Ryo: Context session
... how to prompt without letting them be exploited to force
users to say "yes"
... geo is easy to understand, others may be much much
harder
... outdating mechanism for permissions?
... iot: Cars are different - need a legal ID to operate
... legal IDs may be used for tracking (if available)
... IoT: how many users are using the devices in the room? Did
the owner give context to them all?
jason: prompting - browser chrome
-....
... could the W3C take on a role to survey results of various
permission models, including possibly displaying words from the
website. Wendy to investigate
vocabularies - Christine Utz presenting
scribe: facilitate talk between
tech people and legal department
... a standardized vocabulary allows creating automated systems
for compliance checks
Martin: taxonomies also cover taxonomy of purposes
Tom: Consent requirements
Jason: some ad industry folks
think that if browsers took care of consent stuff, the cookie
consent walls could go away.
... call for a next step "propose an API"
Tom: Internet Advertising Bureau has a taxonomy and vocuabulary
Martin: Storage access
... the proposal being talked about is not internalized by
everyone
... idea is to integrate this proposal with the permissions
API++
... Proposal in the WICG is a next step
tom: Identity
... Oauth IDPs should change their practices to obtain promises
from RPs about what they want to do with the authentications
provided
... should try to communicate what was the worst thing that
could be done with the capability provided
... try to hold RPs accountable for behavior that diverges from
the expectation of the identity subject
tnattestad: need to incentivize RPs to not require more than they need to have (and for IDPs to not give out more than asked for)
end of summaries
npdoty: what should we do next?
tnattestad: if there's something obvious chrome should be doing, tell me now :-)
robin: we'd like there to be a
lot less to permit and consent to - please protect users'
privacy - implement itp ++
... we as publishers don't want tracking, and would like the
browser vendors to stop enabling it
ted drake: when doing doorhangers, test them without a mouse (keyboard only).... (accessibility)
scribe: how to "see" an alert without visualizing it?
wendy: spec editors asked how to set permission expectations around new features and new apis
giri: no, we're not going to change our guidance. Browser vendors feel like it's their domain. need to continue on that paradigm.
robin: more permissions and more
advice won't help - can we make a simpler model - "casual web"
vs "installed web"?
... could remove a bunch of APIs from the casual web (like
webrtc) - which would remove a lot of fingerprinting
surface
<mt_____> robin says fork the web
npdoty: reasons why we don't want
to do it that way
... progressive enhancements (ask for only the little bits) are
a different approach
<mt_____> npdoty says that the existence of a wall might create conditions where presence on the inner side of the wall privileges certain parties
<wseltzer> weiler: we could write down questions: can you get implicit consent, how can you provide context?
<wseltzer> ... can we enumerate more of those questions?
giri: need to beef up specs on "here are the things that users need to consciously accept doing" - but leave the UI to the browser
<inserted> scribenick: wseltzer
weiler: deeper dive around consents re capabilities and consents around data
jnovak: if the only example is notifications, then why distinguish?
<hta> wseltzer: do you have the pen?
<hta> * please
robin: sounds like discussions from 10 years ago in device APIs
npdoty: principles and questions, rather than concrete guidance, let us give more help
robin: give a checklist to the TAG
<hta> wseltzer: in the absence of specific guidance, we get a common understanding of patterns
franke: I kept hearing about users' lack of understanding; wonder what we can take as a next step there
hta: understanding why the user doesn't understand is a deep question
franke: unpack "privacy", what matters to the user
bobby: I'm re-immersed with how
difficult the problem is
... many more conversations with those who build the
platform
Jo: can we rate the scariness of features?
Dan: help users understand the
consequences of their actions
... what does it mean when they take a choice? standardize the
presentation/common understanding
weiler: thinking of language issues, timing of request
ted: no general issues re accessibility, beyond being able to access the prompt and response. cognitive accessibility, might require reminders
weiler: other assignments or actions?
npdoty: how can site developers do a better job? how can we nudge them toward better jobs?
hober: robin asked to be constrained against doing things
robin: if we can, we'll be pressured into doing them; we'd rather not be able to do bad things
thomas: can we give devs any help other than changing browser or specs?
robin: no
... we're trying to be respectful of users in an environment
that's hostile to them; to do more, requires browsers to
change
hta: realizing how much
infrastructure there is in the advertiser-driven space
... we might be able to help it work better, in conjunction
with browsers, requires that we know about it
robin: there's a lot of what
happens in advertising that even other web devs don't
understand
... there's value in looking at what they do
... horrible mess of hacks and script injection
... if browser supported use cases more directly, we could
reduce a ton of scripts and fraud
... that would help web perf, privacy
... I know there's a business group in W3C
Jo: do we need a code of ethics for API implementers?
ted: Consumer Reports helps there
npdoty: that could help with best
practice for sites
... if we came up with a list that CR evaluated against, e.g.
"good sites don't permission rq on load"
weiler: thank yous!
... PC: thanks Jo, Giri, Nick, Jason, Florian Schaub, others
who weren't here or helped behind the scense
... Jo for lots of advance-work
... Jason and Nick for encouraging diversity
... Thanks to Giri and Qualcomm for hosting.
[applause]
scribe: please share notes
... you can post them to github
... mailing list will continue to exit
tomlowenthal: will you tell us when you have a final report?
weiler: yes
... Thanks all for coming
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/do more, but/do more in standards, but as there's still lots of experimentation,/ Succeeded: s/???/Frauke/ Succeeded: s/wseltzer_screen/wseltzer/G Succeeded: s/wseltzer/wseltzer/G Succeeded: i|aleecia: DNT started 6-7 yrs|scribenick: bradkulick Succeeded: i|The Digital Standard|scribenick: wseltzer Succeeded: i|aleecia: DNT started 6-7 yrs|Topic: Changes in the Environment Succeeded: i|nick: permissions api|scribenick: moneill Succeeded: s/that her's/that there is/ Succeeded: s/always displays/always responds/ Succeeded: s/disable trakciung/disable ad blocking/ Succeeded: i|Christine Utz: Did measurements of the top 500|scribenick: jnovak Succeeded: i|Christine Utz: Did measurements of the top 500|Topic: Consent Requests Succeeded: s/wseltzer/wseltzer/G Succeeded: i|directive has been law|scribenick: npdoty Succeeded: s/ms franke/Christine Utz/ Succeeded: s/WGIG (?)/WICG/ Succeeded: i| weiler: deeper dive|scribenick: wseltzer Present: tdrake WARNING: Fewer than 3 people found for Present list! Found ScribeNick: npdoty Found ScribeNick: bradkulick Found ScribeNick: wseltzer Found ScribeNick: moneill Found ScribeNick: jnovak Found ScribeNick: npdoty Found ScribeNick: hta Found ScribeNick: wseltzer Inferring Scribes: npdoty, bradkulick, wseltzer, moneill, jnovak, hta Scribes: npdoty, bradkulick, wseltzer, moneill, jnovak, hta ScribeNicks: npdoty, bradkulick, wseltzer, moneill, jnovak, hta WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]