Meeting minutes
<johnwilander> I don't see a link to a virtual video session. I'm logged in to web-eur.cvent.com and see the IRC link though.
<johnwilander> Got it. I now saw an email too since I registered for the session.
they appear 5min before the meeting
<johnwilander> Wendy, did you say you'll stop recording once we go into the discussion?
johnwilander, yes, we will announce when recording starts and stops
jrosewell: [presentation]
<Zakim> jeff, you wanted to ask for more clarity about the circular debate. It was not clear to me what James meant.
jeff: Can you be more specific about what you mean by circular debate?
jrosewell: discussion in other groups, PCG, IWAGB
… first party sets, debates around what criteria are needed for a set to be formed
… who makes the decision?
… that takes us to discussions of sanctioned/unsanctioned, good or bad
… A poll in federated ID CG showed a 50-50 split on direction
… need to unblock debates
jeff: there are many topics where we don't yet have consensus, consensus is sometimes hard to reach
<jyasskin> https://
jyasskin: Google has a history of both complaining about the registrable domain problem and proposing alternatives such as first-party sets
… I came to this hoping for suggestions or discussions of whast to replace the bounary with
… don't think it's productive to say there should be no boundary
… but rather look for replacements
… what do people think alternatives should be?
jrosewell: one idea in the navigation tracking mitigation repository,
… looks at how we can bring contracts into registrable domains
<jyasskin> I believe that's https://
jrosewell: people can choose which standard contracts they can have their data shared under
… introduces transparency and audit
… explaining how people can see the parties involved in advertising and tracking
jyasskin: thanks for focusing our attention on OWID as alternative
weiler: thinking about requirements
… you asked where's the authority: ultimately, I'd say, it lies with end-user
… and to be able to exercise, they need to be able to automate
jrosewell: depends what you're sharing. Ordinarily we'd want things to be frictionless
weiler: so why not have user define the policy?
jrosewell: In discussions elsewhere, people have discussed trusting other organizations,
… e.g. the Scouts, to pick a set of settings
… standard contractual clauses, contracts a regulator has approved for data-sharing
… I have another session, through Movememt for Open Web, going into detail on a proposed solution
btsavage: personal opinion, not speaking for Facebook
… I think it makes sense to have this conversation
… thinking from perspective of end-user and their expectations
… to the extent personal info is being exchanged between business in ways that would surprise user, that's problematic
… also, few users read privacy policies to understand what's going on
… so we shouldn't rely on privacy policies to set user expectations
… a metric to gauge proposals: to what extent would using $this as a privacy boundary meet user expecations
… domains are visually displayed, there's a decent amount of education
… research; also problems such as phishing and scam domains
… "would sharing data across this boundary surprise or upset people, would it misalign with expectations"
<jyasskin> +1 btsavage
btsavage: and don't expect we can modify those expecations with privacy policies
jrosewell: think we can all agree that terms and conditions are not always read; that's an issue with contract law
… while some companies have tried to make those more engaging
… often, in other industries, you trust someone, an organization standing behind the contracts
… don't see how we can get away from legal contract defining service
btsavage: don't think we as engineers in W3C should be saying it's ok for us to accept surprising information flows, so long as a contract describes that
<weiler> +1 to btsavage re: not relying on contracts, for other reasons
<jyasskin> It's interesting that we have such a consensus among engineers here that terms and conditions are completely useless in getting any sort of real agreement from users, and yet we haven't been able to convince any of the legal system, whether inside or outside our companies, of that. I hope btsavage is right that the legal systems will eventually move in that direction.
btsavage: some contracts we've eliminated, such as overdraft fees
bmay: with Dstillery, do audience targeting
… A domain means lots of different things
… compare "google" to "bobssportinggoods"
… the user is interacting with the organization/people behind the domain
… we'd do well to come up with a new identity primitive
… privacy and identity semantics, as a basis for data-based interactions with individuals and organizations
<btsavage> People may not understand who they are interacting with when they use a website
bmay: rules around how data can be used and transmitted, and means to discover how info has been used
… don't think domains are the answer
… similar to what weiler said, ask the browser to act on your behalf
… develop an auditing and reporting system that would allow user to understand how data is being used and remediate inappropriate uses
eriktaubeneck_: clarification, I wanted to understand what point you were making about Doritos.com and .co.uk having different privacy policies
… in different jurisdictions, they'd have different policies
jrosewell: I was trying to say that because domains are simmilar, consumers might expect same activity, but it's the privacy policy more than ownership that matters
eriktaubeneck_: I'd expect differences in different jurisdictions
jrosewell: I was trying to show that ownership may not be only relevant factor
seanbedford: also work for Facebook, expressing my personal opinion
… if we're going to draw a boundary, need to be very clear where it sits
… there's a legal definition
… in Papa John's example, a franchised business, each store is a different legal entity
… some connection to entity, user expectation. many facets we need to think about together
… eTLD+1 feels insufficient; hope we can come up with something better
… many different defitions
… user expectations; legal definitions of what a regulator would enforce
… other digital touchpoints I might have with those businesses, e.g. order through an app
… don't think we can come to a single answer focused only on web
… not sure what the better thing will be
jrosewell: can we come to agreement by the end of this discussion?
johnwilander: Apple webkit; wanted to mention some technical apsects
… cookiies can span origins (subdomains)
… if we didn't have cookies spanning origins, and document.domain, we'd just use origin
… there's been a proposal for HTTP state mechanism tied to origin rather than cookies, maybe we can move login there
… and then do isolation based on origin rather than registrable domain
… origin is combination of protocol, hostname, and port
… complete with subdomain
… that triple defines an origin
… most of the web security is tied to origin
<alextcone> <scheme>://[<hostname>.]<host>[:<port>]
jrosewell: your preference would be origin?
… separate origins, with no data-sharing between subdomains
johnwilander: yes, technical implemenation, with possible APIs for inter-origin communication
dmarti: when one of the browsers made some changes to data-sharing, there was tremendous user resarech to back it up
<btsavage> +1
<btsavage> 100% dmarti
dmarti: setting sensible defaults is an argument for user research: mockups with which to ask users "what would expect to happen in this situation"
… hope we could do that in next ireation fo discussion
… I'm happy to share resource links
jrosewell: time for us to think about what happens next
bmay: it's easy to identify domain as wrong primitive; would be intersting to figure what user relates to, and how we define rules for that
weiler: I'm not inclined to rely on contracts, since internet and web cross international boundaries
… I'd rather see us work on technical measures
btsavage: sounded to me as though there was fair degree of consensus with idea that data sharing and privacy boundaries, what browser should do is what people woudl want if they took the time to undersatnd
… poll, do people believe privacy boundaries should match user expectations
<BrianLefler> +1 user agent acting defensively on behalf of user's privacy is good (though that shoudl also be balanced against usability, privacy isn't the only user concern)
wseltzer: any place to invite people to watch for next steps in this conversation?
jrosewell: there are many groups in which it could fit. I'd like to ask that we make it into one conversation, perhaps in privacy cg