ISSUE-25 on the agenda for the October 02 call from Kathy Joe on 2013-10-02 (public-tracking@w3.org from October 2013)

From: Kathy Joe <kathy@esomar.org>
Date: Wed, 2 Oct 2013 16:21:57 +0200
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, "(public-tracking@w3.org)" <public-tracking@w3.org>, "Edward W. Felten" <felten@CS.Princeton.EDU>
Cc: David Stark <david.stark@gfk.com>, "'Weaver, Richard'" <rweaver@comscore.com>, Ronan Heffernan <ronan.heffernan@nielsen.com>, "Berkower, Elise" <elise.berkower@nielsen.com>, "George.Pappachen@kantar.com" <George.Pappachen@kantar.com>, 'Adam Phillips' <adam.phillips@realresearch.co.uk>, "Israel, Susan" <Susan_Israel@Comcast.com>
Message-ID: <CE71F573.30E14%kathy@esomar.org>
Hi there
 
We note that ISSUE-25 is on the agenda for today and wanted to provide the
group with answers to Ed Felten¹s questions:
 
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Audience_Measurement/Ope
n_Questions
 
Regards
 
Kathy Joe
 
Ed Felton¹s questions:
1.   What does "identifying" mean in this text? (One might read "without
identifying" as requiring that data be "de-identified" according to the
definition that appears elsewhere in the spec. But if the data qualifies as
de-identified then no permitted use is required here because the general
safe harbor for de-identified data already applies. Alternatively, if
"identifying" means something different here, then that should be spelled
out.) 
2.   What does "unique key-coded data" mean? Is the text about "unique
key-coded data ..." meant to serve as a definition of "pseudonymized"? If
so, it seems overly prescriptive, requiring one particular method that
(purportedly) qualifies as pseudonymized. Alternatively, this text might be
read as requiring a particular (purported) pseudonymization method. If so,
why require this particular method?
 
Answer: The controls regarding the census data include assigning a random
number to the record and obfuscating the last three digits of the IP
address. These are the current minimum requirements. Different companies may
adopt further pseudonymization practices for technical reasons and these may
change with technology or with national law eg in Germany it is required
that the IP address is hashed as well.
If there is future agreement at international level on pseudonymization
standards or definition, we will adhere to these if they are higher than our
standards as they become available. The census data is held securely, as is
all audience research data, and deleted within the maximum time period for
validation and auditing.
 
We note that the wording is open to misinterpretation because the data is
pseudonomized during processing, and then aggregated (ie de-identified )
data is provided to clients as statistical reports. Therefore without
specifying the method used for pseudonomization, alternative wording could
describe a testable outcome:
 
CURRENT TEXT: The data collected by the third party:
Must be pseudonymized before statistical analysis begins, such that unique
key-coded data are used to distinguish one individual from another without
identifying them.  
 
NEW PROPOSAL: The data collected by the third party:
Must be pseudonymized before statistical analysis begins, such that it is
possible to distinguish one individual from another but the data by itself,
cannot be attributed to a specific device.
 
Ed Felton¹s question
3.   Why allow pseudonymization to be delayed until "statistical analysis
begins"? Why not require pseudonymization to be done promptly when data is
initially collected?
Answer: This data first needs to be filtered on a continuous basis to detect
fraudulent activity such as web bots. As the campaign progresses, you may
detect additional doubtful elements and then need to re-process the data
again to check that they are removed. Once it is certain that the data is
clean, it is pseudonymized before analysis.
 
Ed Felton questions
The "independent certification process under the oversight of a
generally-accepted market research industry organization that maintains a
web platform providing user information about audience measurement research.
This web platform lists the parties eligible to collect information under
DNT standards and the audience measurement research permitted use ..."
 
4.   The authors appear to have a specific organization in mind. Which
organization is  that, and who runs it?
5.     What is the rationale for giving a particular organization control
over the certification process and the ability to declare who is eligible to
exercise this permitted use?

 
Answer: The proposal for Issue 25 has been developed by the major global
providers of AMR. This paper is intended to provide clarity about why the
proposal has been written in the way it has and to help people who are not
familiar with this kind of market research understand how our industry works
to protect consumers¹ personal information, ensure that advertising money is
spent efficiently and encourage effective competition and good innovation by
media publishers. We have tried to incorporate sufficient protections in the
specification to provide reassurance to the members of W3C that this is in
fact the case, but we remain willing to discuss further issues of
clarification or amendment which will provide additional clarity and
reassurance.
 
As noted, explanations and opt-outs are currently offered by AMR providers
separately and there are various self-regulatory mechanisms already in
place. The intention in Issue 25 is to provide an additional level of
transparency and education for users, noting that this use case is not
immediately apparent even for experts in this W3C group. We think that a
common AMR explanation and opt-out will help users understand the purpose,
and ensure that this permitted use remains with the boundaries specified by
the W3C standard. The body would be set up with the participating research
companies as founder members with expert oversight and all companies
operating in this field are welcome to join. We remain open to moving this
into the non normative section of Issue 25 and further discussion as the
standard evolves in practice.
 
Kathy Joe,
Director, International Standards and Public Affairs
Atlas Arena, 5th floor
 <http://www.esomar.org/>
Hoogoorddreef 5
1101 BA Amsterdam
The Netherlands
Tel: +31 20 664 2141

www.esomar.org <http://www.esomar.org/>
ESOMAR, the World Association for Social, Opinion and Market Research, is
the essential organisation for encouraging, advancing and elevating market
research worldwide.


From:  "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
Date:  Tuesday, October 1, 2013 5:34 PM
To:  "public-tracking@w3.org (public-tracking@w3.org)"
<public-tracking@w3.org>
Subject:  Agenda for the October 02 call (V01)
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 01 Oct 2013 15:34:30 +0000

    
 Hi Team,
 
 
 enclosed is the first draft of an agenda for next Wednesday.
 Feedback/comments are welcome.
 
 By end of October 02, we have now concluded Phase 1 (collection of issues
and publishing a working draft) and are now transitioning to Phase 2
(addressing all issues one-by-one). We start with the issues where no input
will be provided anymore (5, 10, 24, 25, ...). The documentation for new
issues can still be enhanced until October 16.
 
 Re-Reminder: Note that Wednesday is the last day where new issues can be
raised.....
 
 Note that we are now starting to prepare 4 issues for determining the
corresponding change proposal to determine consensus.
 The goal is to identify one change proposal for each of them that emerges
as consensus. 
 
 
 Regards,
 matthias
 
 ------------------------------
 
 1. Confirmation of scribe.  Volunteers welcome
 
 2. Offline-caller-identification (see end for instructions)
 
 3. Our perspective on how to shape change proposals (Carl/Matthias)
 
 4. Survey of newly raised issues if any (authors of issues)
     - If you have added an issue, I would like to learn about the new issue
       by means of its author explaining the issue and the proposed
resolution
 
 ----  Processing of issues ---
 
 7.  ISSUE-10 [Justin]
      http://www.w3.org/2011/tracking-protection/track/issues/10
      http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions
      As indicated in our plan, ISSUE-10 will now be resolved in the coming
weeks according to the plan below.
     
     On October 02, we will to issue the "call for final change proposals"
(deadline: October 09).
 
 8. ISSUE-5  [Matthias]
      http://www.w3.org/2011/tracking-protection/track/products/5
      
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Tracking_Definition
    As indicated in our plan, this issue will now be resolved in the coming
weeks according to the plan below.
   
     On October 02, we will to issue the "call for final change proposals"
(deadline: October 09).
 
 9. ISSUE-24 [Carl]
      http://www.w3.org/2011/tracking-protection/track/issues/24
      http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security
    As indicated in our plan, this issue will now be resolved in the coming
weeks according to the plan below.
 
     On October 02, we will review the current change proposals and will
issue a "call for draft change proposals"
     to ensure that all draft change proposals for this issue are submitted
by October 09.
 
 
 10.  ISSUE-24 [Justin]
      http://www.w3.org/2011/tracking-protection/track/issues/25
      
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Audience_Measurement
    As indicated in our plan, this issue will now be resolved in the coming
weeks according to the plan below.
  
     On October 02, we will review the current change proposals and will
     issue a "call for draft change proposals" to ensure that all draft
change 
     proposals for this issue are submitted by October 09.
 
 -----------------------------------------
 Reminder: Generic plan to resolve each individual issue
 M0 (announcement): Initial call for change proposals; All change proposals
should be drafted
 M1 (discussion): Initial change proposals have been submitted; Discussion
on change proposals; Call for final list of change proposals
 M2 (discussion): List of change proposals is frozen; Discussion whether
clear consensus emerges for one change proposal
 M3 (announcement): Call for objections to validate / determine consensus
 M5 (deadline): Deadline for inputs to call for objections (2 weeks after
M3); Analysis starts
 M7 (announcement): Results are announced
 
 Note: Each issue requires 2 discussions in the group: One for discussing
initial change proposals and one for discussing final change proposals and
    understanding whether a consensus has emerged.
 
  ================ Infrastructure =================
 
 Zakim teleconference bridge:
 VoIP:    sip:zakim@voip.w3.org <http://voip.w3.org/>
 Phone +1.617.761.6200 <tel:+1.617.761.6200>  passcode TRACK (87225)
 IRC Chat: irc.w3.org <http://irc.w3.org/> <http://irc.w3.org/>, port 6665,
#dnt
 
 OFFLINE caller identification:
 If you intend to join the phone call, you must either associate your
 phone number with your IRC username once you've joined the call
 (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my
 case), or let Nick know your phone number ahead of time. If you are not
 comfortable with the Zakim IRC syntax for associating your phone number,
 please email your name and phone number to
 npdoty@w3.org<mailto:npdoty@w3.org>. We want to reduce (in fact,
 eliminate) the time spent on the call identifying phone numbers. Note
 that if your number is not identified and you do not respond to
 off-the-phone reminders via IRC, you will be dropped from the call.
Received on Wednesday, 2 October 2013 14:23:01 UTC