Difference between revisions of "Privacy/DNT-Breakouts"

From W3C Wiki
Jump to: navigation, search
(Group D)
(Group E)
Line 86: Line 86:
[http://www.w3.org/2013/02/11-dnte-minutes.html rough minutes]
[http://www.w3.org/2013/02/11-dnte-minutes.html rough minutes]
Section Leader Day 2: Heather West
= Monday break-out session =
= Monday break-out session =

Revision as of 13:28, 12 February 2013

Main room

Star Conference Room, D463

IRC: #dnt

Phone: +1.617.761.6200, conference code 87225

Breakout rooms

Group A

IRC: #dnta

Phone: +1.617.761.6200, conference code 26631

Meeting room: G451

Last Names: A-D

Section Leader: Justin Brookman

rough minutes

Section Leader Day 2: Justin Brookman

Group B

IRC: #dntb

Phone: +1.617.761.6200, conference code 26632

Meeting room: G631

Last Names: E-L

Section Leader: Nick Doty

rough minutes

Section Leader Day 2: Nick Doty

Group C

IRC: #dntc

Phone: +1.617.761.6200, conference code 26633

Meeting room: G725

Last Names: M-R

Section Leader: David Singer

rough minutes

Section Leader Day 2: Ed Felton

Group D

IRC: #dntd

Phone: +1.617.761.6200, conference code 26634

Meeting room: D407

Last Names: S-V

Section Leaders: Dan Auerbach / Wendy Seltzer

rough minutes

Section Leader Day 2: Yianni Lagos

Group E

IRC: #dnte

Phone: +1.617.761.6200, conference code 87225

Meeting room: Star Conference Room, D463

Last Names: W-Z

Section Leaders: Heather West / Thomas Roessler

rough minutes

Section Leader Day 2: Heather West

Monday break-out session

High-level questions for group leaders:

1. “Lifetime browsing history” is a phrase that is often used, but never defined clearly. What would LBH mean as a technical matter?

2. In light of this definition, what technical measures would suppress or delete LBH?

3. Tying LBH to the previous group discussions of “buckets” or “low-entropy cookies,” how can the latter continue while suppressing or deleting LBH?

4. Are there any compelling use cases for retaining detailed browsing history beyond a general time limit on retention?

5. If so, how would you limit those use cases consistent with the goals of: (1) limiting LBH; while (2) enabling “buckets” or “low-entropy cookies”?

Background and more detailed set of questions for group leaders to consider:

1. Describing the task: what would it mean to say that a standard means that a user will have “no lifetime browsing history” (“LBH”) or “no long-term browsing history” (also “LBH”) across multiple sites? Roughly speaking: (a) limit on specific content in refers (such as search terms); (b) limit on specific story title on a newspaper site (“newspaper.com” is not suppressed, but “newspaper.com.specific story on a government leader’s personal life” is suppressed); (c) also suppress “newspaper.com”?, or (d) anything else?

[Note: Today we are focusing on this task; not taking a position in this exercise about what other mechanisms, inside or outside of DNT, may address user choice about target marketing.]

2. Given that task definition, what measures exist that could address or achieve suppression of LBH? Deletion? Of what? Delinking or de-identification? (Note – the group session on Tuesday will be on specific techniques of de-identification/delinking, after Ed Felten’s presentation on that subject.) Other ways so that the detailed URIs do not go past a certain time?

3. There is interest in “low-entropy cookies” or “buckets” continuing along with the limits on LBH. What would it mean, technically, to continue these while suppressing LBH? Where use buckets/low-entropy cookie, how define minimum bucket size? Any other dimensions relevant to designing what would qualify as a bucket or low-entropy cookie?

4. Any other big-picture things to consider if DNT standard leads to suppression of LBH, while permitting low-entropy cookies?

5. What role for retention of IP addresses, for what purposes, in suppressing LBH?

6. Here is one option for “short term use”: “Operators may collect and retain data related to a communication in a third-party context for up to N weeks. During this time, operators may render data deidentified or perform processing of the data for any of the other permitted uses.” To what extent would this approach fit with the goal of suppressing LBH? If this approach to short term use is in the standard, are there any uses where details about the browsing history would be retained longer? What are those, and why? Length of time – how would you think about a possible time limit for “short term use”?

7. Moving to specific uses, we had the recent presentation from Media Rating Council about a general one-year retention, but with exceptions allowed where companies have cited privacy concerns. A different but similar audit function concerns financial payments – did a site deliver the promised advertisements? Query – many audit functions are based on sampling rather than having every transaction audited. To what extent has sampling been considered in the DNT process, and to what extent would retention of samples be consistent with suppressing LBH?

8. The MRC speaker said that most campaigns tested by his group are short-term, such as a few weeks or less. What about a presumption that campaigns are that length, but with an exceptions process if a campaign is, of its nature, longer-term?

9. What about cybersecurity, and keeping the detailed URIs? When asked about a one year limit, one person mentioned Black Friday (the day after Thanksgiving), as an example where annual events are important for telling a denial of service attack from heavy shopping traffic. What is the relevance of highly detailed content of this sort over the long term? Suggestions for mitigating the risks that these security databases become the target for subpoenas or other requests that show LBH?

10. How would other possible permitted uses interact with a limit on LBH? [Leader – you can refer to bare bones text for the current list.] If there is a market research permitted use (and some have objected to that), any reason to have the level of detail of the specific URI for more than the length of the short term use?

11. Wrapping up. In light of the discussion, is the goal of suppressing LBH a useful task to address in DNT process? Do you have a coherent way to do that? What are the pros and cons of working on this goal?