SV_MEETING_TITLE -- 22 Aug 2012

<aleecia> Hi! Please mute :-)

<aleecia> Thanks!

<eberkower> aabb = eberkower

<damiano> Is the conference code still 87225 ?

<aleecia> (87225 spells out "track")

<damiano> Cannot connect. Does it work only from 12pm and after?

<aleecia> Several of us are already on.

<aleecia> It works from 10 of noon EST and onward, so you should be fine.

<damiano> After i dial the conference code, i hear 3 beeps and nothing else

<damiano> yes

<eberkower> damiano, try waiting for several seconds after you hear the "This is the Zakim Conference Bridge"

<eberkower> Do not enter the code until after the recording tells you to

<eberkower> 813 dropping off may be damiano

<alex> npdoty: it may be Damiano.

<damiano> The admin is joining me

<Chris_IAB> just joined from 212

<damiano> my number is 813 358 etc

<damiano> ok i can finally hear

<npdoty> volunteers to scribe?

aleecia: I can do it

<npdoty> scribenick: sidstamm

y'all watch me like a hawk and correct me

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

Action Items

<johnsimpson> Apologies, i will be dropping off about 9:30...

aleecia: looking at overdue action items

… action 200 (ifette) to write text for issue 84

<dsinger> issue-84?

<trackbot> ISSUE-84 -- Make DNT status available to JavaScript -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/84

<fielding> all of mine are open

<amyc> 206.361.aaii is amyc

<ifette> ISSUE-84?

<trackbot> ISSUE-84 -- Make DNT status available to JavaScript -- pending review

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/84

fielding: still working on my open issues, not sure what 228 is, will get to it soon

… 116 is waiting until we have a place to put it in the spec

<dsinger> not sure that Ian's action makes much sense…unless he wants to add to the TPE, it seems in hand (issue 84)

… 131 is waiting until we agree on the tracking status resource section

<dsinger> issue-228?

<trackbot> ISSUE-228 does not exist

<npdoty> ifette, I think we're about to close issue 84 unless you want to propose something different

aleecia: [suggests starting with use cases]

<ifette> i just saw that

fielding: can't get to it for two weeks

dsinger: did a basic edit for action 228 already, fielding is welcome to improve it

fielding: can close 228, dsinger's text is good

<npdoty> close action-228

<trackbot> ACTION-228 Update remove methods to have an appropriate failure mode closed

dsinger: probably 84 too

aleecia: 195 is editorial at this point

<aleecia> http://www.w3.org/2011/tracking-protection/track/actions/195

<npdoty> issue-65?

<trackbot> ISSUE-65 -- How does logged in and logged out state work -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/65

<dsinger> issue-65?

<trackbot> ISSUE-65 -- How does logged in and logged out state work -- open

<trackbot> http://www.w3.org/2011/tracking-protection/track/issues/65

… logged in v. logged-out state discussion went on for a while, but then about a month ago we decided to point to the informed consent section

hwest: do you want us to come up with text?

wileys: justin and I had already made two informed consent drafts

aleecia: we have gone round and round about the difficulty of getting informed consent into text

… lets reassign it to justin and he can help us talk through this

wileys: we have strong difference of opinion, and want to be included with action 195

aleecia: justin can take point, but is a larger issue for discussion

<npdoty> wileys: with justin, had agreed at dc f2f not to include text on informed consent

wileys: both in the exception period and active setting of dnt … whatever that definition is matters for both

aleecia: so I should make sure we bring it up in a call, soon.

… chris on action 229

… wileys, can you help update us too?

<Chris_IAB> Chris P, right?

<npdoty> yes, Chris Pedigo

<aleecia> yes

wileys: haven't heard back from chris p in two weeks

aleecia: can you forward us a draft of the working text?

wileys: no, we were in the middle of a debate

aleecia: 237 - hwest

<npdoty> can we re-assign 229? this is almost a month old already

hwest: I think it just needs a last editing pass

aleecia: please confirm and then close it if it is done

… we probably shouldn't reassign 229, since we'll probably end up redoing it entirely

<npdoty> okay, understood.

… in this case, lets keep it open until chris p comes back, then we can reconsider

<npdoty> https://www.w3.org/2002/09/wbs/49311/tripart/

… reminder - polling choices about "ease of setting" or silence deadline is in one week

ifette: the poll is very binary -- can you live with this or not

… specifically the first question seems to suggest there should be three states, all equally to choose

… what do we say if we don't care how to choose dnt:1 or dnt:0, but it matters that header-on/header-off are both easy?

aleecia: we discussed this in [bellevue], and passed the text for the poll around the group for a number of weeks

… in the future, please make comments on the text earlier

<npdoty> I think the Comments fields could be used to elaborate subtle opinions though

ifette: problem is that this is the first time we are voting, and so it requires us to consult with the rest of our companies

… maybe our personal opinions were in favor of one, but our point of view changes after consulting with others in our organization

aleecia: sounds like we need to build time in for consulting home-office people for some issues

… probably makes sense to send options around internally when we're talking about the text

… but at this point, we can't slow it down (has already been two months), but feel free to add your comments in the remarks field for the options.

<Chris_IAB> the difference is that Google is a 50,000 person org and Mozzilla is several hundred, if I'm not mistaken...

… can't just start over, or nothing will get done

Chris_IAB, you're right (Mozilla), but not all 50k at google are stakeholders

brooks: if you offer "equal ease" you're saying any of the options can be default

sorry, that Chris_IAB was not him speaking, it was my comment to him

dsinger: I don't understand why I should be required to offer an option to the user "yes, please track me as you wish"

aleecia: quick use case -- you are a user in Germany and by default if you don't set DNT (it is unset), you start to get lots of messages as you browse, "don't you want personalization?"

… you decide it's crazy, don't want to be bothered, so you enable a global "yes to all", which is the "please track me as you wish" option

… things don't work the same in all countries

<jmayer> A global "DNT: 0" may not be adequate for consent under European law. FYI.

<Chris_IAB> sidatamm, I respectfully disagree that not all 50k people at Google are not stakeholders-- Google is an advertising supported company, so every single employee is paid with advertising revenue (and the value the market has attributed to that business); they aren't all required to make a decision, but what I was trying point out was the complexity of decision making at large orgs :)

<ifette> sid, sure, but there's a lot more stakeholders at Google, and a lot more at stake at Google monetarily, than at Mozilla :)

yes yes, I agree ifette

but we have stakeholders who are not employees (volunteers)

aleecia: please look through the minutes and see that this poll is in line with what we discussed in bellevue

<jmayer> We discussed these options (and alternatives) at length in Bellevue. I'm likewise not entirely a fan of the options the group selected - but it was the decision we made.

<Chris_IAB> I would just urge us to consider the business magnitude of what this working group is proposing, and not rush to finalization without take the due steps and time to consider all the potential outcomes...

<dsriedel> sorry, just had me muted

<dsriedel> nothing else

aleecia: one more week… please if you have something you can't live with in one of those options, please weigh in

… don't weigh in if you are okay with the options

<efelten> Most of the voices here represent business. I don't think there's any risk of business interests not being represented.

aleecia: [checking the attendees list for id]

<laurengelman> i am 415 627

<aleecia> An origin server MUST make a public commitment that it complies with this standard through the provision of a site-wide tracking status resource [[!TRACKING-DNT]].

aleecia: we ran out of time when discussing issue 25

<WileyS> I'm assuming this same rule applies to UAs?

… anyone who has an issue with this text (from IRC)

<WileyS> Existance vs. a specific statement

<WileyS> Good question - I would suggest it must be "include a specific statement"

dwainberg: does this say that the provision of the site-wide tracking resource is a public comitment, or that the resource must include a public commitment?

<WileyS> Disagree with existance

<WileyS> +q

aleecia: the former, we should clarify it

<efelten> +q

dwainberg: I don't support that, would rather allow servers some flexibility about public commitment

<dsinger> that makes it hard to partially implement (in progress work)

<jmayer> +q

<fielding> So, dwainberg wants a status that says "no"

dwainberg: this is looking like a legal hook for compliance and may get messy for some folks… nice technically, but not legally

wileys: not a lawyer, agree with dwainberg in principle. Don't think the existence of that resource should be public commitment, but we could put something inside that resource

<npdoty> fielding, dwainberg or a field in the resource that says "yes, I comply"

aleecia: that's another issue (literally)

<fielding> npdoty, we already have that

efelten: what's the alternative? If a site publishes a resource that says "I'll be have this way", isn't it an assertion to the user that it'll do what it says?

aleecia: are you suggesting we don't need this text at all?

<WileyS> Ed, depends on the flexibility of how your implementation is expressed in the resource.

efelten: I want to understand why people want to argue that a statement in the tracking status resource could be different than how a site acts

<aleecia> who is speaking> david w?

<WileyS> Yes - David W.

<npdoty> fielding, there's a dedicated field for that? or you're suggesting just the presence of the resource at all?

dwainberg: the resource itself shouldn't constitute the commitment, but you could put something inside it

<WileyS> +1 David

<aleecia> we have a queue

dsinger: it could mean that the resource existing is a suggestion you're working on it (partial compliance)

<hwest> +1 David

<fielding> npdoty, tracking field does exactly that

dwainberg: difference is between the commitment technically (to implement a spec) and commitment to behave in a certain way

<fielding> … but we have no option for "no"

I think we're talking past each other

<Chris_IAB> you might message the user that you see their header, but are not going to honor it per the W3C spec

<WileyS> Ed, we're with you on what is "IN" the resource, not the resource itself

efelten: I don't understand the confusion -- if you put a statement in a resource, how should it be interpreted?

<dsinger> e.g. "3" says "I am behaving in compliance with the rules for a 3rd party"

dwainberg: if the company states what it does, that's what it does, but it's not public commitment to the full standard

<Chris_IAB> it's a VOLUNTARY spec/standard

… the spec is gonna describe certain feedback the server must contain in the resource

… and if the server lies in the resource, it's a problem

… but this language says that just *having* the resource is a commitment to the entire spec

<WileyS> Ed, yes

efelten: but the statements in the status resource should be truthful

dwainberg: yes

efelten: and users can rely upon them?

dwainberg: that's probably true, yes

<WileyS> Ed, yes - what is "in" the resource is not the argument - its the mere existence of the resource doesn't mean you're following ALL aspects of the standard in full compliance

jmayer: seems to me the issue at base here is the extent to which we want to facilitate companies' ability to comply with just part of the compliance spec and just do the protocol

<WileyS> Much like UAs today :-)

… if just having it means you comply with the spec, it's harder to pick and choose

… but if there's a separate field, it is easier to pick what you implement

<Chris_IAB> neither the W3C or SEC have any ability to regulate how companies reply to a HTTP Header Flag... companies are free to respond to it how they feel is appropriate

… I think ed is pointing out that if there was not a separate field, something that *looked* like compliance (the resource) should not be relied on

<Chris_IAB> sorry, not SEC :)

<Chris_IAB> FTC

are you trading headers on a market, Chris_IAB ?

ifette: to what extent do we want to support partial compliance?

… if we look at past history, of other work, people start sending invalid statements because they can't express what they want through the spec

<dwainberg> excellent point about p3p

<Chris_IAB> sidstamm, now sure what you mean by "trading headers on a market"?

… there will be a number of people who want to do the right thing, but if our spec is not flexible enough, it will cause issues

Chris_IAB, it was a joke about your SEC comment

<Chris_IAB> sid, that's right

<Chris_IAB> ah, right

<Chris_IAB> dyslexic moment :)

ifette: I would rather see a company who doesn't agree with the whole spec can at least tell the user something honest (partial implementation)

aleecia: I disagree with your comments on p3p

amyc: want to echo dsinger and what adrian said on the last call.

… need to be able to have a flexible spec to address this

<jmayer> The issue of phase-in is separate from the issue of partial adoption.

<Chris_IAB> ...and you would specify that in your privacy policy, not in the communication protocol between two servers

hwest: I've been hearing that having a tracking resource in itself means you comply with the spec -- that's a big problem, just wanted to make it clear that this is not good

<jmayer> hwest, I think everyone was talking about the W3C Compliance spec.

… efelten and dwainberg were talking about different things

… if there's a resource on the server [regardless of its contents] does it mean it's fully compliant to the w3c spec?

<npdoty> the statements in the tracking resource rely on definitions in the Compliance specification, though

… I don't think it's a good option. We could put something inside the resource to claim it, but it should not be assumed by the resource's presence

fielding: currently, the only valid response for the tracking status resource is a claim of compliance with the spec

… fine with me if we want to make it more flexibile, but we need to revise the text

<dsinger> maybe we need qualifiers back; 'p' suffix to say "I am in partial compliance (e.g. I am working on it)"

<efelten> +q

aleecia: what would this look like? A new response like "I do something with DNT, but don't fully comply"?

<Chris_IAB> you could also reply that you don't comply with DNT, no?

<dwainberg> the resource already includes a link to a policy, right?

aleecia: I think we're looking at two options

… (1) your response is enough to indicate "I implement DNT"

<npdoty> if you don't comply, Chris_IAB, the spec says you can just not have a tracking status resource

… all of it, or a baseline defined in the spec

<efelten> -q

… (2) make changes to what the response looks like to have an additional part that says

… I implement parts of DNT, but not all, check for more information (here).

… and we'd need to update the compliance doc

… if there are additional options, or I'm way off, speak up

<Chris_IAB> npdoty, you can't legally dictate how companies reply to DNT headers... anyone can send a header-- it's just a header

<fielding> what I would add is an option for "not for your UA"

<jmayer> +q

dsinger: maybe we would have the qualify stack and after you say what party you are and such, we could add an additional char that says "but only part"

aleecia: we talked about this in the group, and it sounded like lots of people wanted to roll out all of their DNT support at once

… so there's not a needed provision for testing

… if it's changed, lets open an issue to address this

<npdoty> Chris_IAB, I'm just pointing out the option that's defined within the spec: "an origin server that does not wish to claim conformance to this protocol would not supply a tracking status resource and would not send a Tk header field in responses."

<dwainberg> yes, I would open that as an issue.

adrianba: there's another option (3)

<ifette> i don't think it's just "testing", I think it's "my steady state is something short of full compliance witht he spec"

<Chris_IAB> npdoty, got it, thanks

… the policy doc doesn't need to say anything about this, people can use any form they want to make a public commitment

… the tech spec, just like every other tech spec, describes what a complete implementation should do

<Chris_IAB> agree with David Singer

… the reality is that people incrementally implement stuff

<Chris_IAB> how many browsers are HTML5 FULLY compliant today???

… if people don't fully implement the spec, they don't. We don't need a "partial compliance" flag

<jmayer> -q

<Chris_IAB> sidstamm, can you please send that same kind of signal for HTML5? ;)

aleecia: you are advocating silence in the compliance spec and no additional flag for the technical side for incomplete implementations?

… for example, I'm partially done but we have to wait to finish rolling out or implementation of DNT

… I want to send something to say "not done yet"

<jmayer> +q

<npdoty> in that case you wouldn't have a `tracking` field, and so it wouldn't be in compliance with the tracking-dnt spec either

ifette: I agree with adrian that we want to make it possible, but I don't think it's an issue that we are *testing* dnt, but that the implementor actually disagrees with some of the spec and won't implement it

… I appreciate we don't want to get into the whole testing rathole, but this is different.

aleecia: the question I have is how do we avoid a situation where users rely on what they understand in the response from the site but it's wrong

<rvaneijk> @Chris_AIB, either you are compliant or not. WIth partial implementations claiming of full DNT compliance, we are not helping towards a fulfillment of the FTC critera to DNT.

jmayer: the first order issue is, "do we want to facilitate web sites speaking the DNT protocol but not actually acting in compliance with the spec?"

<WileyS> +1 Ian

<dsinger> for the record, I prefer it clean as it is (that the statement is a simple machine-readable statement of compliance); I just worry about staged bring-ups

… I think the answer should be NO

… however we decide that issue, we can figure out how to implement it

<fielding> issue: do we need a tracking status value for partial compliance or rejecting DNT?

<trackbot> Created ISSUE-161 - Do we need a tracking status value for partial compliance or rejecting DNT? ; please complete additional details at http://www.w3.org/2011/tracking-protection/track/issues/161/edit .

<WileyS> Mayer, I like the idea of compliance codes: W3C, DAA, EDAA, etc.

<ifette> +1

<Chris_IAB> interesting idea guys

<ifette> and i unfortunately have to drop for a 10 meeting, but I do like the idea of "Here's some well-known thing I comply with, be it DAA, W3C, XYZ"

<dwainberg> +1

<efelten> +q

<Chris_IAB> +1.5

aleecia: I think you can imagine that the response back from the server could point to a type of compliance (point to an existing compliance doc from DAA, W3C, XYZ)

<dsinger> which david?

<dsinger> ok

<WileyS> dsinger :-)

dwainberg: I think others have given some examples that support my point, so I won't rehash it

<aleecia> sorry - yes, davidw

<jmayer> I think an "I speak DNT, but I only comply with these documents" response would be a terrible idea. Just wanted to point out that the engineering is possible.

… one other example is other business models that may not be required to support DNT but want to implement it anyway

… but they don't want extra legal liability by trying to implement it

… but if we leave it the way it is, companies just won't deploy the tracking resource because of the risk

<aleecia> we already have text of "you can be more privacy protective," there should be no risk to twitter

<fielding> issue: If we have a mechanism for indicating partial compliance, how do we convey to the user why, and what is not being complied with, in a machine-readable manner?

<trackbot> Could not create new issue - please contact sysreq with the details of what happened.

… they may respect the header and describe it in a privacy policy, but not implement the status resource

<Brooks> sounds like the p3p issue of not issuing the full policy

efelten: we've had a suggestion that others can define what compliance means if it is put in the status resource

<WileyS> jmayer, I think it was a great idea that you put out there - something we should seriously consider. It gives you the "on the hook" element I believe you're looking for and gives implementors the flexibility to support self-regulatory standards.

… but the group should think very carefully about it before we go down this road

… what happens if lots and lots of parties have their own definition?

<dsinger> +1 to edfelten

<jmayer> Again, I was pointing out that the engineering is possible, and the engineering ISSUE turns on the policy ISSUE.

… in a system where each third party has their own statement buried in their own privacy policy -- this system doesn't make a difference to users.

aleecia: that is one of the two reasons DNT is an interesting topic

<jmayer> I would strongly oppose the design I mentioned, and I fully agree with what Ed just said.

… (1) persistence (2) baseline standard for compliance

<Chris_IAB> David W brought a great point Ed: if companies are scared of FTC enforcement, they may just back away from it all together (in fear)-- that's not a good day for privacy

<Chapell> Are regulators planning to provide a comprehensive, step-by-step guide re: how they plan to interpret and enforce the DNT spec?

… if there's a way to say there's a small group of deviations from the baseline, that might be worth investigating

… but the idea of "no standard" for DNT and anyone can make their own, seems opposite of the goal of this work

<fielding> issue-162?

<trackbot> Getting info on ISSUE-162 failed - alert sysreq of a possible bug

… this is my personal opinion as Aleecia

<Chapell> PS - that question is directed primarily to Ed, Rob @ Ninja (are there other regulators in the group?)

ifette: I think right now what we see is not a proliferation, but a small number of deployed privacy protection measures

… like the DAA principles, other industry organizations, not W3C standards, but are standards

… agree with ed that every single company having their own standard is suboptimal

… but is not the necessary outcome of going down a road like this

aleecia: and lets go back to the particular issue

… there are other issues that can split off from this

… (1) testing -- should we add this as a new issue?

<rvaneijk> @Chapell, that is your part of the puzzle. The regulators job is to define the norm.

… (2) flag of implementing w3c or someone else's standards -- or is this implicit?

dwainberg: there are two issues here

… where or how the public commitment is made and what the nature of the commitment may be

… these are two separate issues

aleecia: yeah, we may want to come back and pick them up

<Chapell> @RVaneijk - ok, but that is going to significantly delay implementation

… we are only discussing the issue of a public commitment at this time

<dwainberg> ok...thanks, understood... sorry to interrupt

<aleecia> 1. text from Roy

aleecia: three paths

(1) text from roy

… responding = DNT compliance

<aleecia> 2. partial compiance

… (2) some way for partial compliance

<Chris_IAB> wouldn't such an architecture allow the flexibility needed for countries to use DNT according to their laws? It's not a bad idea to consider... in the interest of global privacy concerns

… a response that will need to go into the TPE doc and also something in the compliance spec pointing to it

<aleecia> (3) silence

… (3) silence -- stick with what we have

dwainberg: Number two is two pieces

<jmayer> +q

jmayer: they're the same, david. if you say the compliance statement goes in the PP, then you can do whatever you want.

<Chris_IAB> Jonathan, and what's wrong with that?

<Chris_IAB> shouldn't we allow users to decide where they will go, shop, etc. based on how they trust the sites they visit?

aleecia: what would be the benefit of having (2): the self-defined compliance definition

dwainberg: I think it's a bad idea to make the existence of a tracking status resource equal to an assertion of compliance.

<WileyS> Aleecia, its more of a "I see your DNT signal and I honor it in this way"

aleecia: I understand your concern is that some response is that you comply with DNT.

<npdoty> is dwainberg's concern about the resource being a public commitment different than the meanings of the fields in the resource being defined in the compliance spec?

… but I'm not sure I understand why having the same commitment in a privacy policy is different

<Chapell> chapell

<aleecia> "In order to be in compliance with this specification, a third party must make a public commitment that it complies with this standard. A "public commitment" may consist of a statement in a privacy policy, a response header, a machine-readable tracking status resource at a well-known location, or any other reasonable means. This standard does not require a specific form of public commitment."

<WileyS> Nick - yes, the concern is that the text currently states that the "presence" of the tracking resource means you're supporting all elements of the W3C DNT standard vs. simply stating that what you deliver in the tracking resource is what you support.

<Chris_IAB> Chapell just sent a "chapell" header in IRC and my response is "LOL"

<npdoty> dwainberg, WileyS, but would you agree that the fields in the tracking status resource are a commitment to fulfilling the definitions of those terms?

<WileyS> Aleecia - I like your text.

aleecia: lets make an action to think this through and draft something

<WileyS> Nick, yes

<fielding> just delete the last sentence

<dsinger> we would need proposed changes to "3 Third party: The designated resource is designed for use within a third-party context and conforms to the requirements on a third party."

<Chapell> @ DavidW - I'm happy to help with your proposal

<ifette> +1 to David's proposal

aleecia: would anyone want to write up silence as an option?

… if nobody is willing to take this, we will rule it out as an option

<Chris_IAB> confused what you are asking?

<tl> Isn't silence what we already have?

<tl> IE: ""

aleecia: we have some people looking at a way to say "I partially commit to DNT"

dwainberg: I will ponder that as a piece of my other action

<Chris_IAB> how about an action item to write a proposal for "I comply with X compliance policy" (x = DAA, W3C, etc.)

<npdoty> ACTION: weinberg to draft proposal regarding making a public compliance commitment (with Alan, Ian) [recorded in http://www.w3.org/2012/08/22-dnt-minutes.html#action01]

<trackbot> Sorry, couldn't find user - weinberg

aleecia: have two texts already from jmayer and fielding

<npdoty> ACTION: wainberg to draft proposal regarding making a public compliance commitment (with Alan, Ian) [recorded in http://www.w3.org/2012/08/22-dnt-minutes.html#action02]

<trackbot> Sorry, couldn't find user - wainberg

… and silence as our fourth option

<fielding> Aleecia, I am fine with the original text minus last sentence.

aleecia: to close out this discussion--do we have any interest in having a flag that says "I'm testing this, don't think I comply"

<npdoty> ACTION: dwainberg to draft proposal regarding making a public compliance commitment (with Alan, Ian) [recorded in http://www.w3.org/2012/08/22-dnt-minutes.html#action03]

<trackbot> Sorry, couldn't find user - dwainberg

… nobody was interested in this as an issue, so we'll leave it

aleecia: lets talk about issue 123 action 116

<aleecia> (b) Third parties should be prohibited from acting or representing themselves as first parties. (ISSUE-123)

<aleecia> ACTION-116 on Thomas Lowenthal

<aleecia> Original text: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0618.html

<aleecia> Proposed edit: http://lists.w3.org/Archives/Public/public-tracking/2012Mar/0126.html

<aleecia> HISTORY: From the Aug 1 call, the basic concern is that the language in the draft assumes parties will always and forever, in all cases, know what party they are despite the 1st and 3rd party definitions in the Compliance document that make it clear that is not the case. [We do have some debate over that text as well, which will need to be resolved, but that is another issue, specifically issue-60.] Other concerns arose, but the major and persistent concern wa

<aleecia> use case where someone has content embedded in someone else's iFrame, is not aware they are 3rd and not 1st party, and has negative consequences through no action of their own.

<aleecia> New suggestions for this text include using the phrase "knowingly represent," limiting the scope to just be about DNT responses, and adding language that this text does not suggest it is ok to misrepresent elsewhere ("This section is not intended to allow or prohibit any practices other than those explicitly addressed.")

<aleecia> We agreed service providers will need to be integrated with this text, and are not currently.

aleecia: [pastes into irc]

<aleecia> We did not discuss but might consider if examples in non-normative text could help clarify here. An example that specifically addresses iFrames seems apropos. That might help address the substantive concerns.

<aleecia> David Singer took action-233 to draft text to add similar intent to the TPE document, but after further reflection, closed the issue. No one was interested in taking it up from David.

<aleecia> Tom Lowenthal was uninterested in updating his text to address concerns raised on the call, as he believes the text addresses them as-is.

<aleecia> PROPOSAL: one of two paths.

<aleecia> - Someone steps forward to offer a revised text that might address the primary concern raised. We review that text, and if it is now acceptable, we adopt. If there is still a split of strong opinions, we apply the decision process and call for objections.

<aleecia> - If no one is interested in doing five minutes of further work on the action-161 text, we close it for lack of interest.

aleecia: the concern is that a company could no longer be a first party and not know it -- or something similar

<dsinger> please note that Roy's proposed TPE language doesn't claim actual status, but intended-use status.

aleecia: is there someone willing to take the existing text and add something like "knowingly represent" that would address the concerns about accidental misrepresentation?

<fielding> I volunteer in two weeks

dsinger: I just want to point out that the representation is "this resource is designed to be used in a [x] party context", so it's not clear that it's an issue

aleecia: what we have right now is two specs going in different directions

… in the compliance spec, the definitions involve what type the party thinks they are (first or third)

… I'm actually seeing the two specs not lining up

… and I think you're suggesting we make the specs align before we take this on

dsinger: I agree

aleecia: gonna postpone this discussion until the specs are better lined up

<aleecia> (c) Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? (ISSUE-49)

<aleecia> ACTION-161 on Shane Wiley: work on issue-49

<aleecia> Current text is in the body of the ACTION: http://www.w3.org/2011/tracking-protection/track/actions/161

<aleecia> HISTORY: we learned on the Aug 1 call that Shane intends this as a replacement for current text around service providers.

<aleecia> Shane was to revise his prior text to reflect suggestions from the Aug 1 call, which included:

<aleecia> Changing "operate as a First Party" to "operate under the rules for a first party" to clarify service providers have additional restrictions

<aleecia> Renaming this section to "Service Provider"

<aleecia> Updating to reflect there may be third parties on behalf of third parties, not just on behalf of first parties

<aleecia> With the conclusion of Shane's edits, we will discuss this text on the call.

<aleecia> Expected outcomes:

<aleecia> - We acknowledged on the Aug 1 call that these proposals are likely to go through the decision process with a call for objections. We need alternatives we can adopt into the document.

<aleecia> - Either we agree Shane's text is now complete, or there is another action item for any additional edits

<aleecia> - The current text in the drafts is dated and does not reflect third parties acting on behalf of third parties. This suggests an action to update that text as well.

<aleecia> - Once texts are complete, we compare them side-by-side

<npdoty> editors are reminded to talk about how to align the tracking-dnt and tracking-compliance specs on design of resources for 1st/3rd

aleecia: action 161...

<aleecia> Changed "A Third-Party MAY operate as a First Party if..." to "A Third-Party MAY operate under the rules for a first party if..."

<aleecia> A Third-Party MAY operate under the rules for a first party if the following conditions are met:

<aleecia> - Data collected is separated for each First Party by technical means and organizational process, AND

<aleecia> - The Third Party has no independent rights to the collected information outside of Permitted Uses (see Section X.Y), AND

<aleecia> - A contractual relationship exists between the Third Party and the First Party that outlines and mandates these requirements.

<aleecia> A Third-Party acting on the behalf of a First Party is subject to all of the same restrictions of a First Party.

aleecia: [reads paste from IRC]
... wileys, what is your plan with this?

WileyS: Ifrom the exceptions perspective, a third party representing another third party is still a third party. We can clarify, but I didn't think it was necessary.

<dwainberg> How about inheritance of exceptions from 3rd pty to 3rd pty?

aleecia: lets clarify it, because this makes it sound like third party acting as other third party is forbidden.

<dwainberg> (when the 2nd 3rd party is acting on behalf of...)

<fielding> given that the definitions of party are wrong, this is kind of pointless

<WileyS> Aleecia - sounds good

<WileyS> Aleecia - did you see Roy's point?

aleecia: ok, lets leave 161 open for you to add this clarification

<WileyS> Will do

npdoty: what I see in this compliance draft are two options that are similar

… first is longer

… but seems to be pretty much what shane is working on

aleecia: shane is rewriting it for this

<WileyS> Shane to add 3rd party acting as 3rd party - I thought that was it

npdoty: because of disagreement?

aleecia: just to clarify third party as other third party is ok

<WileyS> Correction - a 3rd party operating on the behalf of another 3rd party.

<WileyS> Nick, yes

<WileyS> Agreed - made that change already

<aleecia> (d) ISSUE-64 POSTPONED How does site-preference management work with DNT

aleecia: one more thing for the next 10 minutes

<aleecia> See the summary box in the issue (http://www.w3.org/2011/tracking-protection/track/issues/64) -- this was about setting cookies that have non-identifiable information, for example, the user's default language. I believe we are unanimous in agreeing this is fine and does not require consent under DNT, provided the pool of users is large enough, though we are not quite agreed on final language, though pretty close.

<aleecia> PROPOSAL: Move this from "postponed" to "open", and rename to "How do we describe non-identifiable data" to reflect the state of the conversation.

aleecia: issue 64, cookies with non-identifiable info

… I think we all agree this is a fine thing to do

<jmayer> I think the current service provider language could be trivially edited to accomodate third party-to-third party service providers.

scribe: but aren't solid on the language or the minimums for "large enough group"
... but aren't solid on the language or the minimums for "large enough group"

<efelten> For consistency, it's probably better to use "linkable" rather than "identifiable".

… but need to decide how to discern non-identifiable data

<dsinger> actions that are not 'tracking' are *out of scope* (and we should define the scope so that's clear)

<efelten> ok

aleecia: can't use "linkability" because in the european context it means something else

<efelten> Need a definition too.

<BrendanIAB> +q

… but yes, this issue is for a definition as such

BrendanIAB: just to clarify, the header from client to server just indicates the server should not collect the information to one degree or another

… I haven't read the text, but is there a prohibition about setting cookies?

<jmayer> uncorrelate-able?

… as I understand it, it's just about not collecting cookies.

<efelten> or "low-entropy"

aleecia: no prohibition on setting cookies, but we've agreed that it's absolutely fine to aggregate data

<jmayer> +q

… such as instead a unique identifier, it's a shared identifier

… or a language code

<jmayer> There's no prohibition on setting *any* cookies, we agree on that. The EFF/Mozilla/Stanford proposal would prohibit setting certain cookies.

… we're pretty close I think. we all agree on the intent, but haven't nailed down the particulars.

jmayer: want to distinguish between "can't set any" and "can't set certain"

<tl> What about -- say -- a shopping cart cookie which doesn't have anything intended to be an identifier, just the product codes for the thirty-five items in my shopping cart? It's high entropy, and it could probably be identified, but it's not an "identifier"?

… the question is which one

… one view is that the purpose is what matters

<Chris_IAB> DNT is only a preference indicator, it is NOT a cookie blocker or any kind

… my view is that you can set cookies, but they can't be used for identification (whether or not they are, it's about potential)

<WileyS> Yes - unique IDs are the key divide

aleecia: yes, we're divided here

<WileyS> Removing unique IDs breaks the entire Internet as currently built

<aleecia> dsinger

dsinger: I think the definition should focus on what you're allowed to do with the data

<jmayer> BrendanIAB, glad we cleared that up. Will IAB now stop saying that DNT = stop all collection?

aleecia: not hearing disagreement with moving this to an open issue

… so lets do it.

… the next item needs more than 4 minutes

<dwainberg> as dsinger was alluding to, this is more about the definition of tracking

<WileyS> jmayer - removing unique IDs is THE SAME as stopping all collection

… a few things we didn't get to

… one with ninja, hopefully she can join us again in the future

<jmayer> It's an adorable talking point y'all have, but it just so happens to be false.

<aleecia> ack?

<Chris_IAB> jmayer, re your question to Brendan, we will do that when the compliance doc makes that point clear

<jmayer> Chris_IAB, great, let's add one sentence on that. Done.

<WileyS> jmayer - since we're the ones who actually operate in this space, I believe we're in a better position to define was is true or false. But nice try...

aleecia: adjourned!

<BrendanIAB> The "clearing up" sounds like there's lack of clarity wrt "can I set any cookie" vs "can I set only some types of cookies".

<jmayer> Hah.

- DRAFT -

SV_MEETING_TITLE

22 Aug 2012

Attendees

Contents

Action Items

Summary of Action Items

Scribe.perl diagnostic output