W3C

Tracking Protection Working Group Teleconference

07 Dec 2011

Agenda

See also: IRC log

Attendees

Present
aleecia, npdoty, NinjaMarnau, dsriedel, PederMagee, efelten, +1.813.366.aaaa, Bjorn, Satish, +1.646.825.aabb, dwainberg, +1.415.354.aacc, +1.206.369.aadd, AlexDeliyannis, +1.202.684.aaee, tedleung, Joanne, WileyS, Bryan_Sullivan, Justin, sidstamm, sharvey, +1.908.541.aaff, fielding, +1.650.485.aagg, jmayer, +1.202.326.aahh, +1.202.263.aaii, +1.334.703.aajj, hwest, +1.813.366.aakk, +1.202.744.aall, vincent, dsinger, enewland, [Microsoft], bryan, +1.347.689.aamm, +385221aann, +1.650.862.aaoo
Regrets
Chair
aleecia
Scribe
dsriedel

Contents


<trackbot> Date: 07 December 2011

<Joanne> +1.415.354 is Joanne

<dsriedel_> I will try today

<npdoty> scribenick: dsriedel

<npdoty> http://www.w3.org/2011/11/30-dnt-minutes

<Lia> +1.202.263.aaii is Lia

<aleecia> http://www.w3.org/2011/tracking-protection/track/

Review Action Items

<npdoty> action-34?

<trackbot> ACTION-34 -- Jonathan Mayer to draft Near-Consensus First Party vs. Third Party Section with Tom -- due 2011-11-25 -- OPEN

<trackbot> http://www.w3.org/2011/tracking-protection/track/actions/34

Action Item 10 open

<trackbot> Sorry, couldn't find user - Item

What is the status on Action Item 34?

jmayer: draft written, but not ready yet. back to the drawing board, something ready within 1 week

aleecia: next action item 38 - ISSUE-19

<Frankie> zakim IPcaller.a is Frankie

aleecia: action 36 review on friday with assignees

<npdoty> I think actions 31 and 36 are overdue

<JC> 3326 is JC

WileyS: On action 31 still in progress
... progress made, but big issues

<WileyS> Next week

<WileyS> <fingers-crossed>

<npdoty> action-31 due next Wednesday

<trackbot> ACTION-31 Write up a proposal for a user-agent-managed site-specific exception due date now next Wednesday

aleecia: Next item on the agenda: new business

New business

aleecia: started to assign issues to people, awaiting feedback on them

Frankie: First draft on item for end of next week

<hwest> I'm happy to help with identity language

aleecia: going through the list of items

<hwest> If it's not a conflict to have an editor draft it

aleecia: hwest jumps in to draft on item about identity language

<npdoty> hwest to draft text on ISSUE-32

<JC> Okay

<WileyS> Okay

<WileyS> No problem

<dsinger> ok

<JC> Amy is out

<JC> This week

aleecia: checking with people on the call about their assigned items. makes note to contact people who are not on the call

<WileyS> Jealous of Jonathan!

aleecia: ISSUE-37 to discuss now on the call

<npdoty> issue-37?

<trackbot> ISSUE-37 -- Granularity based on business types and uses -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/37

aleecia: how does this happen on a practical level?
... Should it be company by company or on interest based levels, like in current implementations

<WileyS> Too early to rely on ePrivacy Directive

<scribe> ... New cookie directive implies that a DNT:0 does not say on a global level that the user consents with tracking. - EU countries

<bryan> Link to email?

<bryan> ok

<npdoty> bryan, only among a few of us at the moment

WileyS: difficult to disambiguate policy and technical aspects ... group around-31 discusses some use cases ... 1st-parties should ask for an exception regarding DNT for their 3rd parties ... a site asks for exception for itself and its 3rd-parties ... that is one case to look at
... at which time you ask for exceptions ... when the user enters a page ...
... these are open questions ...

<bryan> is it assumed that new 3rd parties are only disclosed when the user pulls content from the site, or is there a push notification being considered?

<justin> Getting permission for "any third party we might want to give approval to track you across any site" leads to absurd results.

WileyS: ePrivacy directive in the EU is not yet fully implemented or within national laws, so it might be early to derive conclusions from that...
... The EU situation is complex and confused at the moment so it is not clear how much of the working group can take from the directive at the moment

<Zakim> npdoty, you wanted to ask about more requirements/use cases for an opt-back-in

npdoty: Requirements and use cases regarding opting back in. Are there any other requirements and use cases the group has?

<npdoty> bryan: what happens when there's a new third party?

<npdoty> ... what happens when data is shared with an additional third party while the user isn't browsing the site any more?

bryan: When is the use informed only when pulling content from the site about the DNT status or also in other ways? For example when a new 3rd-party is acting on the site and the user gave an earlier consent. Is there only a notice on pulling conetnt from the site

WileyS: different options for the user, how he wants to be informed
... every time he enters
... maybe in an aggregated form

aleecia: there might be cases where a consent everytime might be needed, there are others who this might not be necessary.

jmayer: Use case. User: I like what facebook does on other sites, I trust them.

<WileyS> Agreed - only in context of a 1st party relationship or everywhere

jmayer: globally flag a 3rd-party as trusted.

<npdoty> I agree that that use case might be easier

<justin> Doesn't the permission to third-party have to be global? Otherwise, they're basically just a service provider, and they're not covered by DNT!

<npdoty> and we might not need it in the protocol

JC: as having a trusted relationship with a 1st-party site, you might also trust them as 3rd-parties

<justin> There's no need to get a permission to let Yahoo! track me just on the NYT . . .

<npdoty> jc: better to have the capability to sign up with whole groups of third parties (nai, etc.)

ninjamarnau: user should not allow blindly a group of 3rd-parties tracking. User should have site, party specific excemptions. EU needs granularity.

<Job> Just joined IRC. No phone...

ninjamarnau: example: he can allow facebook social plugin and therefore allows it as 3rd.party plugin on diferent sites.

<dsinger> I think it is debatable whether people are happy with sites they know as 1st parties, being 3rd parties. In specific, many people I know are not happy with the sense that social network buttons on other sites can watch/track their other browsing etc.

<JC> I'm only saying people have a choice

<npdoty> ninjamarnau, just to make sure I got your point there, you're saying that a user might opt in to a third party across sites, but only for certain types of resources from that third party

<justin> jmayer, sure, but the value of behavioral tracking (which is for the most part what we're talking about) comes from cross-site data. I don't see much of a use case for getting a permission for incrementally better tracking on just one site

dsinger: user might disagree with a 1st-party having a plugin tracking them on other sites being a 3rd-party

<WileyS> Agreed - Internet-wide Exceptions should be consent driven, as well as, site-specific exceptions

<WileyS> Internet-wide vs. site-specific - feels like a fair distinction

<WileyS> I didn't say that Ninja

ninjamarnau: disagree with neglecting the ePrivdacy directive in this WG

<npdoty> is anyone interested in the use case of "you can track me, but only for analytics" or similar?

aleecia: not sure WileyS neglects it, but sees that it is work in progress

<npdoty> per issue-37

aleecia: so we will have places where we pay attention to it and some where we dont

<justin> jmayer, Definitely, but I think most of that can be done outside of the scope of DNT.

<Johnsimpson> Have joined irc. No telephone, though.

Frankie: Facebook and their plugin is a very simple example. there are scenarios with advertising networks and advertisers behind which draw more complex scenarios.
... have to consider this and work and more use cases

<ninjamarnau> this is the difference between any consent and informed consent

npdoty: another use case - consent for analytics and not trakcing

<ninjamarnau> ndoty, i would be very interested

<Lia> I would find that useful

<JC> I felt that was the premise of DNT

npdoty: interest in looking into the option that the user can define what technique he allows and which not

aleecia: there are ppl who want to consider this

<WileyS> Internet-Wide vs. Site-Specific vs. Use-Specific Exceptions (all driven by user consent)

jmayer: yes, there is use for this in form of allow rules for example

<justin> I would prefer to see outsourced analytics and first-party behavioral tracking to be out of scope (as commonly-accepted exceptions to DNT), and the permission to third-parties would allow them to track you across the web.

fielding: once dnt is expressed it is the responsibility of the sites to know how to reply/work with this

<WileyS> Agree with Justin

<bryan> +1

aleecia: back to ISSUE-37

<justin> Close it!

<bryan> (+1) Agree with both Justin and Roy

aleecia: no support for the idea on interest categories - or anyone?

vincent: started prototype on this interested based DNT

<npdoty> I thought ninja, lia, JC were supportive of use-based granularity for opt-back-in, when I brought it up earlier

<JC> and Microsoft

aleecia: business type == interest groups

<ninjamarnau> ndoty, no not use based - more based on a specific third party

aleecia: should we have the google, yahoo interest group style for DNT?

<npdoty> Lia, can you explain your interest in this granularity?

<vincent> I do :)

<npdoty> JC, can you give more detail on Microsoft's interest in this type of granularity?

<JC> We provide an interest manager similar to Yahoo & Google

<JC> Not that we are intersted in this type of DNT approach

<Lia> I was referring to granularity for specific uses of tracking like analytics

WileyS: we have 3 levels of exception. Internet-wide, site specific and use specific exceptions. Down the use specific path it could include the interest based approach. User could give a list of interests to allow tracking for.

<JC> I don't think that would work

aleecia: the granularity regarding an interest area for the user for a 3rd-party on a 1st-party site could be tricky and not very useful

<JC> Agree with Google

<npdoty> jmayer, were you assuming that exceptions would be blanket allow rules? or prefer that the exceptions would be for specific collections/uses?

<jmayer> One reason using existing web tech has some promise for opt-in consent: can create arbitrary types of opt-in.

sharvey: the standard should not include any granularity like interest based filters

<fielding> I meant that, once DNT is expressed, the myriad details of how 1st and 3rd parties are implemented are not really our concern -- we should express the requirements in terms of when and what data can be collected and shared given the presence of DNT since that subject is less site-unique than implementation.

aleecia: We close the discussion on ISSUE-37 for now and make a note about that it is category based/user interests

<aleecia> going to close issue-37 as no, we won't do interest-based categories

<jmayer> npdoty, I don't think there should be any blanket allow rules. Every exception should be for specific collection/retention/use.

<jmayer> npdoty, It's not a great approach, but privacy policies are a starting point.

<dsinger> issue-37?

<trackbot> ISSUE-37 -- Granularity based on business types and uses -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/37

vincent: have more look on this issue-37 and use cases

aleecia: issue-37 closed for now

<dsinger> issue-57?

<trackbot> ISSUE-57 -- What if an opt-out cookie exists but an "opt back in" out-of-band is present? -- raised

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/57

aleecia: ISSUE-57. Conflict between opt-out cookie and an excemption for the same company

WileyS: Idea. Remove the opt-out cookie when there is a DNT:0, but when there is DNT:1 or now info, respect the cookie.

dsinger: the more granular decision is the one that controls

<WileyS> We should document these use cases

<aleecia> I'd like use cases and examples in the spec

<sidstamm> +1 to jmayer

jmayer: we have to look in the sequences when users opt- in or -out and when they do so and in which order, there might be ambiguity; would propose instead a principle of taking the min of all choice mechanisms

<hwest> Have to drop early - sorry!

<aleecia> thanks, Heather

<aleecia> min would mean no override for DNT:1

<aleecia> most recent is tempting but crazy to figure out unless we want to timestamp DNT

fielding: cookie based mechanisms to opt-back-in should be respected, another area of conflict

jmayer: agree if there are opt-in signals in the mix, regarding cookie based op-in and -outs, especially regarding browsers who (still) do not support DNT; would propose starting with a min rule and then carving out exceptions as necessary; we just need to agree to a clear order of precedence

<WileyS> User-Agent + Cookie State

<WileyS> Interesting new dimension to consider

sidstamm: if the browser does not have a possibility to give more granularity than telling the whole internet: do not track, a cookie based opt-in and -out should be respected for the sake of granularity

<aleecia> :-)

sharvey: asking for more use cases

aleecia: we will get more cases or details on this as ppl are writing up on this issue in the next weeks
... ISSUE-27. Anyone wants to add something to this?

<sidstamm> apologies to all, as usuall I have to drop off early

<WileyS> Meeting schedule through the holidays?

<WileyS> I'm out the last 2 weeks of the year - hence my question.

<JC> Any updates on f2f in Belgium?

<JC> I'm out as well

<fielding> me too

aleecia: not talked about this too much yet. 14th of december another call. how about 21st?

<WileyS> My vote is no on 21st and 28th.

<JC> Ditto

<npdoty> I can do 21st and 28th.

<ninjamarnau> yes for 21st no for 28th

aleecia: 28th not clear who will chair it yet

<efelten_> +1

<npdoty> can you make the 21st?

<vincent> ok

<npdoty> +1

<enewland> +1

<Frankie> no preferences on this - already in the office :-(

<tedleung> I can make the 21st

<ninjamarnau> +1

+1

<dsinger> ok 21st

<jmayer> +

<fielding> maybe

<Chris_> yes

<bryan> +1

<Joanne> +1

<clay_opa_cbs> -1

<JC> -1

<WileyS> -1

<andyzei_> +1

<Frankie> +1

<Lia> +1

<andyzei_> err -1

<npdoty> who can't make the 21st? (-1s)

<Lia> can make

<JC> -1

<andyzei_> -1

<punderwood> -1

<aleecia> -1 for cannot make

<WileyS> -1

<npdoty> who can make the 28th?

aleecia: how about the 28th

<fielding> -1 28th

<JC> -1

<dsinger> -1 28th

<andyzei_> +1

<clay_opa_cbs> -1

<npdoty> +1

<justin> +1

<Frankie> +1

<WileyS> -1

<tedleung> -1

<ninjamarnau> -1

<Joanne> -1

<enewland> -1

<vincent> +1

<Chris_> -1

+1

<bryan> -1

<jmayer> +1

<punderwood> -1

<aleecia> 21st: call goes on

aleecia: looks like we have a call on the 21st and none on the 28th

<aleecia> 28th: no call

aleecia: any disagree?
... anyone wants to get some feedback now regarding their action items they are working on right now? Please go ahead...

<JC> Belgium?

aleecia: otherwise we asume you are good to go.
... no updates on F2F

<WileyS> Great call Aleecia - Thank you.

aleecia: end call early as we do not see any further commetns
... expecting drafts of texts in the next week

<npdoty> trackbot, end meeting

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2011/12/30 00:35:12 $