SV_MEETING_TITLE -- 24 Oct 2018

jnovak: background on TPWG charter expiration
... process and lessons learned
... engaging with others (regulators, etc) is valuable
... regulatory processes move at different speeds
... had been hoped that regulatory uptake would push toward implementation, but regulators were slower than standards process

moneill2: ePrivacy directive
... has been around, requires consent
... for active storage (cookies)
... but as a directive, different in every state

<schunter> ... mentions DNT as a preferred/potential solution explicityl (in parlament's draft)

moneill2: now in parliament draft, browser consent signal refers nearly explicitly to DNT

jnovak: 3 phases of what's next
... specs.
... Publish TPE as Note, Purposes appendix as Note, add some context to status

schunter: when WG closes, publish work as a Note, by default
... I drafted a basic status section

<mkwst> wseltzer: In terms of how we characterize why the effort failed to reach REC,

<mkwst> ... I think what we saw is that it wasn't adopted by websites , so we were not eager to tell users they could protect their privacy by enabling DNT.

<mkwst> moneill2: There were examples of using DNT as a consent mechanism.

<mkwst> ... DNT: 1 is the assumed default in Europe.

<mkwst> ... Several thousand sites are using `DNT:0` as a signal.

<mkwst> schunter: But wseltzer is right. Sites generally didn't adopt.

jnovak: new ePrivacy text coming
... cookies for tracking and consent is not going away
... Browsers are doing different things with cookies
... Safari's ITP
... Firefox has opt-in anti-tracking

<npdoty> dsinger, I believe Firefox supported three options for DNT, including DNT:0, and IE supported exceptions, which would do DNT:0 on sites that used the JavaScript API

jnovak: Brave started with privacy-first decisions around cookie policies
... Numerous discussions re path forward on consent
... e.g., should browsers have functionality for cookie consent?
... more support for browsers asking on first launch?
... Improving Advertising BG
... Where does the work continue?
... Is the work even defined?

moneill2: Permissions API, drop-downs for API requests
... no opportunity to convey why they're asking permission
... context on cookies

<jnovak> addendum to earlier statement: Firefox 65 is going to have anti-tracking on by default

<schunter> ... limited functionality; probably not sufficient for GDPR-required consent

<jnovak> wseltzer: Mentioned the improving web advertising business group, trying to start the conversation there on a different footing from the DNT work to see if there's something non-adversarial that would improve the web advertising experience?

<jnovak> ... Something for publishers, advertisers, users, and browser

<jnovak> ... as user-agent.

<jnovak> ... Performance (everyone loads same ad monitoring scripts redundantly)?

<jnovak> ... One of my lessons learned is: we're going to block all your ads unless...

<jnovak> ... Folks remember that users are blocking ads

<jnovak> ... Can we improve the overall situation

mkwst: re opportunity to tell the user why a request is being made
... it's true the browser doesn't do that, but the website has plenty of opportunity to do so, and we encourage them to
... browsers are reluctant to put dev-provided text into browser chrome
... because most of what they're trying to tell users is lies
... Wilander proposed an emumerated list of texts

<moneill2> +q

mkwst: that might be a possibility

<Zakim> npdoty, you wanted to comment on alternatives to arms race

npdoty: non-adversarial is an important leson
... but not sure what the next steps are
... concerned that having every browser do tracking-blocking is just an arms race
... can we find something more consistent than every implementation doing its own blocking and being reverse engeineered

moneill2: learning, legal backdrop
... we need to do something for the transparency required by legislation
... Facebook moving to first-party cookies to counter ITP
... need a holistic response

mchampion: logical next step seems like reconvene as community Group
... follow ePrivacy
... maintaining community of people tracking the issues
... looking for opportunities
... W3C isn't a great venue for zero-sum competition

dsinger: success was indicating clearly that we're interested in working on consensual standards in the area

<npdoty> do people want to talk about concrete other venues? I think we often heard a suggestion it should happen somewhere else, but I'm not sure I heard about successful negotations elsewhere

dsinger: we should say that we remain open, eg. in BG, to work that bridges interests in user privacy and advertising-supported business
... we tried browser signal, that didn't work, but we're still open to talking

jnovak: Technical standards and regulatory standards work at different speeds

,,, getting out ahead of the regulators ends up with misunderstandings

scribe: impedance mismatch
... does staying alive as CG further that?

mchampion: to search for common ground

moneill2: mistake to say that tech moves faster than reg
... regs have been there for years, tech hasn't gotten there
... weiler was saying PING could produce documents

weiler: guidance documents

dsinger: we did DNT, then GDPR came, and we tried to make it a solution
... we should instead have looked at requirements from GDPR
... solution looking for problem

<kontaxis> /window goto 1

<npdoty> is there some way we could work with the guidance of legislators, rather than waiting until the legislation is finished and then consider starting a standard to help?

<jnovak> wseltzer: Worried about keeping a group alive because of the dynamic of some people pointing to the dynamic of "there's work being done thus we must not do anything else"

<jnovak> ... in the US context there was a lot of requests for "don't regulate because we're going to come up with a technical solution"

<jnovak> ... then the technical discussion is "waiting for the regulators"

<jnovak> ... Concerned that this space has plenty of people who are happy with the status quo or satisfied enough that active efforts to block work.

<jnovak> ... For W3C to be effective, need to find things that can reach consensus-based solutions to be engaged.

<schunter> ackds

dsinger: maybe it's good that browsers are behaving differently because it enlarges the attack surface
... lots of solutions bounce data from cookies to URLs and back
... maybe time to re-look at those old specs

mkwst: there's a bis-version of the cookie spec right now in HTTP WG
... same-site cookies, secure attribute, prefixes
... standardize and push out
... there was a notion of iterating more, question of bandwidth
... there are proposals for non-cookie-based mechanisms for HTTP state managemenbt

schunter: history
... initially, the notion was to do a consensual standard
... preempt regulation by self-reg
... I was surprised by the loss of consensu in the room

dsinger: we need to come through with the technological end of the GDPR bargain

jnovak: given that DNT has a bit of fingerprinting surface

<jnovak> https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324

jnovak: and articles
... actively telling users that DNT does nothing
... is continuing to ship DNT in browsers problematic?

<jnovak> to elaborate on "problematic", more "misleading to users as to privacy protections";

npdoty: I've never been persuaded by that argument
... there are tons of options in your browser
... to which sites don't respond
... so I don't think this one is misleading
... Don't take it out, so it continues to be an alternative

mkwst: another browser should go first
... it would be difficult for any browser to remove to remove the setting

jnovak: strawman "we offer new better tracking protection features, so we remove DNT"

mkwst: our settings text was deliberately setting expectations low

<jnovak> From Chome UI: "Enabling "Do Not Track" means that a request will be included with your browsing traffic. Any effect depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example to improve security, to provide content, services, ads and

<jnovak> recommendations on their websites, and to generate reporting statistics."

mchampion: if this were an ordinary spec, we'd be asking about telemetry of how it were actually used

<moneill2> https://baycloud.com/chart/dnt

schunter: I'd like W3C to standardize something even better

mkwst: there's a spec right now with lots of technical detail that no browser has implemented
... there must be something we could do that browsers would implement
... incubation, use WICG to get buy-in from those involved
... get implementation commitments more effective than talking without implementation

<npdoty> I think implementation of a DNT header in UA software is quite widespread, including every major browser

mkwst: browsers aren't the only players
... difficult for them to implement if there's no demand
... if we send out data, and data is not acted upon, we're not getting the effect we want
... need publishers and browsers in conversation

travis: and there needs to be incentive on publishers to consume the data
... or consequences

schunter: browsers potentially interested, publishers haven't been
... could mean that model is broken
... of sending signal

mchampion: are GDPR and ePrivacy creating interest?

moneill2: @@

schunter: jury still out

<Zakim> npdoty, you wanted to comment on experience with arms race

npdoty: sounds as though we're saying we should just work on direct interventions
... we have experience with the arms race
... cookie mgt, flash cookies, blocking, browser fingerprinting
... is that helping users?
... maybe alternatives aren't better than consesnsus

dsinger: problem with asking for effect that's unverifiable

<schunter> David: TPWG assumed that people play nice. No way to verify that a site promising compliance actually complies.

dsinger: would be great to find consensual standard with benefit to publishers

<schunter> West: Goal is to show people how to make money and do their business while mitigating the privacy violations of the status quo

mkwst: a business problem with taking away the way people are making money, without giving them an alternative
... worth exploring alternative monetization mechanisms

<schunter> "making money in similar ways while respecting privacy"

<schunter> (.. similar money...)

mkwst: you could imagine, e.g., differential privacy, ways to do privacy-friendly measurement
... carrots and sticsk

<npdoty> +1 for working on alternatives (though we've seen struggles with adoption there too)

moneill2: beyond personal data

dsinger: we should listen to advertising conferences about the problems they're having and solutions they could use

<npdoty> well-summarized, jnovak

schunter: keep going in advertising BG and PING

https://www.w3.org/community/web-adv/

- DRAFT -

SV_MEETING_TITLE

24 Oct 2018

Attendees

Contents

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output