IRC log of privacy on 2012-11-26
Timestamps are in UTC.
- 21:46:11 [RRSAgent]
- RRSAgent has joined #privacy
- 21:46:11 [RRSAgent]
- logging to http://www.w3.org/2012/11/26-privacy-irc
- 21:46:24 [npdoty]
- Meeting: Workshop on Do Not Track and Beyond
- 21:46:31 [Zakim]
- Zakim has joined #privacy
- 21:46:43 [npdoty]
- Chair: js, npdoty
- 21:46:50 [npdoty]
- rrsagent, make logs public
- 21:55:33 [presentation_screen]
- presentation_screen has joined #privacy
- 22:07:09 [rigo]
- rigo has joined #privacy
- 22:07:24 [rigo]
- rrsagent, please set log public
- 22:07:32 [rigo]
- scribenick: rigo
- 22:08:13 [Frank]
- Frank has joined #privacy
- 22:12:52 [rigo]
- Topic: Introduction
- 22:13:22 [rigo]
- Introductions around the room: What is, can and should be the role of standards in policy?
- 22:13:47 [rigo]
- Introduction by Nick Doty, Thanks and Administrativa and Logistics
- 22:14:29 [rigo]
- Presentation: Frederik Borgesius, University of Amsterdam
- 22:14:31 [aleecia]
- aleecia has joined #privacy
- 22:14:36 [BerinSzoka]
- BerinSzoka has joined #Privacy
- 22:14:37 [Arnaud]
- Arnaud has joined #privacy
- 22:14:49 [Js]
- Js has joined #privacy
- 22:15:05 [Joanne]
- Joanne has joined #privacy
- 22:15:05 [tara]
- tara has joined #privacy
- 22:15:05 [aleecia]
- Rigo is scribing?
- 22:15:09 [rigo]
- yes
- 22:15:15 [peter]
- peter has joined #privacy
- 22:15:19 [johnsimpson]
- johnsimpson has joined #privacy
- 22:15:35 [Andrew_Swerdlow]
- Andrew_Swerdlow has joined #privacy
- 22:15:36 [rvaneijk]
- rvaneijk has joined #privacy
- 22:15:50 [Mark_Lizar]
- Mark_Lizar has joined #privacy
- 22:16:03 [meme]
- meme has joined #privacy
- 22:16:04 [erikn]
- erikn has joined #privacy
- 22:16:08 [Mark_Lizar]
- Mark_Lizar has left #privacy
- 22:16:34 [JoeHallCDT]
- JoeHallCDT has joined #privacy
- 22:16:35 [MarkL]
- MarkL has joined #privacy
- 22:16:35 [nweaver]
- nweaver has joined #privacy
- 22:16:45 [Reuben_Binns]
- Reuben_Binns has joined #privacy
- 22:16:50 [rigo]
- ND: Goal is for W3C to identify fields for future work, but also for you all to share experience. But it is also a place for the community to meet. Should mix industry and academics in the breaks, lots of breaks.
- 22:17:27 [jeff]
- jeff has joined #privacy
- 22:17:30 [rigo]
- npdoty: Introduction into to DNT: mentions DNT Workshop in Princeton
- 22:18:22 [nweaver]
- nweaver has joined #privacy
- 22:19:33 [rigo]
- Presentation around the room
- 22:20:28 [rigo]
- http://www.w3.org/2011/track-privacy/
- 22:23:17 [wseltzer]
- wseltzer has changed the topic to: http://www.w3.org/2012/dnt-ws/ W3C Workshop: Do Not Track and Beyond
- 22:26:38 [Frank]
- Frank Wagner, Deutsche Telekom, Group Privacy
- 22:26:56 [rigo]
- Jan Schallaböck, co-chair: http://www.datenschutzzentrum.de/ and secretariat of ISO/IEC JTC 1 SC 27 WG 5
- 22:27:09 [nweaver]
- ICSI. Our firefox extension is priv3.icsi.berkeley.edu
- 22:27:18 [nweaver]
- http://priv3.icsi.berkeley.edu
- 22:27:21 [rvaneijk]
- Rob van Eijk, PhD Student Dual PhD Center The Hague, Leiden University
- 22:27:21 [JoeHallCDT]
- Jan explains the post-it notes attached to paper agendas: write down interesting things you think of and give them to him
- 22:27:37 [wseltzer]
- Wendy Seltzer, W3C Policy Counsel and in research work, http://wendy.seltzer.is/drafts/privacy-options-feedback.pdf
- 22:28:24 [rigo]
- Please put your ideas on the post-its that are attached to the printed agendas
- 22:29:10 [rigo]
- JS: first topic controversial, but here is Workshop, can agree to disagree, no need for fighting
- 22:29:25 [rigo]
- ... introducing Frederik Borgesius
- 22:29:51 [rigo]
- .. who has also consulted the EU Parliament on OBA
- 22:30:49 [rvaneijk]
- rvaneijk has joined #privacy
- 22:32:13 [jeff]
- jeff has joined #privacy
- 22:32:13 [BerinSzoka]
- Thank you, Nick!
- 22:34:15 [rigo]
- Pressentation: Frederick Borgesius http://www.w3.org/2012/dnt-ws/position-papers/24.pdf
- 22:35:11 [Js]
- Js has joined #privacy
- 22:35:27 [jeff]
- jeff has joined #privacy
- 22:38:28 [tlr]
- tlr has joined #privacy
- 22:39:46 [jeff]
- jeff has joined #privacy
- 22:40:40 [pleon]
- pleon has joined #privacy
- 22:41:14 [jeff]
- jeff has joined #privacy
- 22:44:45 [rigo]
- JanS: Have a question, you're reluctant to have W3C supply technical specification for compliance
- 22:44:59 [tara]
- tara has joined #privacy
- 22:45:04 [rigo]
- FB: consent and contracts can be achieved anyway
- 22:46:05 [rigo]
- ... pop up box could do it. To my surprise Neelie Kroes suggested to use DNT. Which means do not collect. Could be seen as a technology that establishs consent
- 22:47:07 [rigo]
- JanS: that would be a signal of DNT:0 saying consent and unset/DNT:1 would be do not collect
- 22:47:21 [rigo]
- ... but what about the defaults, is there an answer in law?
- 22:47:29 [JoeHallCDT]
- is Jan saying the draft DPR has a "default unset" piece?
- 22:47:34 [JoeHallCDT]
- I didn't know that
- 22:47:48 [rigo]
- ... wouldn't be DNT:1 be more privacy client
- 22:47:51 [rigo]
- ?
- 22:48:13 [JoeHallCDT]
- if anyone has a cite to that piece of the DPR or a discussion of the issue, I'd thank you
- 22:48:42 [rigo]
- FB: both generic law and eprivacy directive expect consent. What the technical default looks like is not relevant because the legal default is not tracking without consent
- 22:49:27 [rigo]
- NickWeaver: How does consent have to be. For wiretapping have to be real.
- 22:51:19 [AndroUser]
- AndroUser has joined #privacy
- 22:51:28 [mikeperry]
- mikeperry has joined #privacy
- 22:51:35 [wseltzer]
- rigo: Whereas clause in the e-privacy directive, number 66 says browser configuration can count as a consent declaration for the purpose of storing information on terminal equipment
- 22:51:56 [rigo]
- FB: have to be significant consent, in current discussion on Google privacy policy discussion, main problem was that the meaning was hidden. Meaningful open
- 22:52:09 [wseltzer]
- ... this only happens if there's meaningful information around the browser tool.
- 22:52:10 [JoeHallCDT]
- ah, these are recitals
- 22:53:10 [JoeHallCDT]
- RobVanEijk: consent must be "specific, free, and informed"
- 22:53:38 [Dwainberg]
- Dwainberg has joined #privacy
- 22:54:33 [rigo]
- RobvanEjk: Goal to have the user decide. If the browser can reflect consent or not. DNT work is to reflect consent, and there is a bridge to the legal building block, so there will be a quality assessment on the solution. Making sure that the default thing expresses what the user wants. So technical questin is that whether you use DNT or not is also whehter a user has already expressed a preference
- 22:56:13 [Dwainberg]
- Does anyone have advice on how to connect my Mac to the wifi? I can connect but nothing is getting through.
- 22:56:21 [rigo]
- ShaneWiley (SW): Starting the debate; Is the policy that the TPWG should create a document that details whether something is compliant with regional laws, or should be only a technical specification that allows expression of self regulatory regimes
- 22:57:07 [tlr]
- dwainberg, network "AirBears"
- 22:57:09 [rigo]
- ... compliance document doesn't solve the EU problem, is W3C the right place to have the debate, or have W3C only make the tech spec
- 22:57:16 [tlr]
- worked nicely for me
- 22:58:01 [rigo]
- FB: if FIPs are in place, and 100 countries have. The policy has already been set. W3C only implments that
- 22:59:19 [rigo]
- LieTien: Two things going on: Consent to storage information, and consent that is part of the FIPs, for me two distinct things. I can see the first thing is limited. In the US context, you could consent to a lot more..
- 22:59:54 [Frank]
- Frank has joined #privacy
- 22:59:55 [rigo]
- ... if no meaningful scope is given, and lots of EU things wouldn't apply. How much of the other things can you consent away
- 23:00:40 [rigo]
- FB: good question, hasn't been tested in court: security , not waivable, access, not waivable, minimization, not really, but some
- 23:00:41 [aleecia]
- actually FIPPs are from the US :-)
- 23:00:48 [wseltzer]
- s/LieTien/LeeTien/
- 23:01:12 [rigo]
- ... right about double layer of consent, but non lawyers will fall asleep if I start to explain
- 23:01:39 [rigo]
- ... ePrivacy Directive is lex specialis and applies, but has to cover the generic requirements two
- 23:03:13 [dwainberg]
- dwainberg has joined #privacy
- 23:03:36 [wseltzer]
- rigo: W3C is not a regulator; it produces "Recommendations"
- 23:04:02 [JoeHallCDT]
- The trick to me is that most of w3c's work is specific to things that would not necessarily change from jurisdiction to jurisdiction… DNT doesn't seem to be like that
- 23:04:28 [wseltzer]
- ... we may create documents that have influence in political discussion, but so could virtually anything
- 23:04:57 [wseltzer]
- ... there's always a second step, if those in the political process find Recs useful
- 23:05:05 [rigo]
- BerinSoka: coming to Shane's question. Can be used to implement policy or to create rules?
- 23:05:26 [wseltzer]
- s/BerinSoka/BerinSzoka/
- 23:06:28 [rigo]
- JanS; you get your policy space lined out and facilitate compliance with regulation. You have to agree on what regulatory environment you want to create interoperability to. This is always a heated discussion
- 23:06:56 [rigo]
- ... standards can have a de-facto regulatory effect. People should be aware of that.
- 23:08:09 [rigo]
- ... in this case SDOs become governance bodies, which is an interesting topic in itself (IGF, ICANN etc)
- 23:08:20 [dwainberg]
- dwainberg has joined #privacy
- 23:09:32 [rigo]
- ... question SW is W3C a good place. My reaction: why not, and who else?
- 23:10:29 [nweaver]
- Personally i believe in client-only implementations: I don't trust servers, voluntary or not.
- 23:10:39 [rigo]
- SW: Why not: if resulting standard is voluntary, implementing a new compliance specification would not drive that voluntary implementation. Other regimes in regions would be better for adoption
- 23:11:19 [rigo]
- ND: m;any people believe that you've to go to W3C to force browser to do X
- 23:11:57 [wseltzer]
- [FTC: http://www.ftc.gov/opa/2012/03/privacyframework.shtm]
- 23:12:10 [rigo]
- SarahSchroeder: ?? report, standards setting, establishing criteria and supports the work in W3C. We appreciate the work
- 23:12:20 [JoeHallCDT]
- Sarah is at FTC
- 23:12:23 [JoeHallCDT]
- atty
- 23:13:11 [wseltzer]
- [Sarah is reading from http://www.ftc.gov/os/2012/03/120326privacyreport.pdf p.53]
- 23:14:44 [rigo]
- aleecia: Shane alluding, perhaps not making 39 implementations for over 50 countries. Now for my research I have to explore that, is a nightmare. It would be handy to have one mechanism for consent would save a lot of engineering time for lots of people.
- 23:15:37 [rigo]
- SW: current discussion in TPWG, we already determined that current document does not solve the EU problem, TPE would work, but not need compliance spec
- 23:16:29 [rigo]
- HarlanYu: realize whatever W3C publishes is recommendation. What is it to comply with the Standard? Only one or with both?
- 23:16:42 [AndroUser]
- AndroUser has joined #privacy
- 23:18:57 [rigo]
- ... people are not compliant with all, could still use as technical basis for other stuff
- 23:19:12 [jeff]
- jeff has joined #privacy
- 23:19:13 [nweaver]
- If the default requires meaningful consent, the result will be NO if users actually understand what's going on. EG, explain how the like button tracks what people read (not just like) and it creeps people out, big time.
- 23:19:30 [nweaver]
- Well, for a huge fraction of the users
- 23:19:35 [rigo]
- JanS; hear from FTC and if those conditions would be fulfilled that would also make it for EU
- 23:20:46 [rigo]
- ... if falling back below regulation and then going into the regulated market is not possible.
- 23:21:25 [rigo]
- .. but on the other side, the de-facto regulatory effects should be taken into account.
- 23:22:07 [AndroUser]
- Rigo, you've stated in the past that the current compliance & scope does not meet the ePrivacy Directive requirements but that the TPE provides the necessary framework to get there. Are you suggesting now that the C&S does meet ePrivacy?
- 23:22:10 [rigo]
- ND: it is useful to have direction from regulatory bodies. W3C should go away from setting those regulations. W3C is rather in mechanisms, a tool for making choice
- 23:23:56 [rigo]
- DavidWainberg (DW): Technical standards and compliance standards are different animals. National regulators weighing in is difficult. If W3C is making compliance specification, what would you change in Process?
- 23:25:00 [rigo]
- FrankWagner: from implementers, W3C is making a switch, so we are guided. If a guide is there fine.
- 23:25:04 [JoeHallCDT]
- David, like a treaty process?
- 23:26:01 [rigo]
- AlexFowler: about WAI, are legal requirements that are taken into account while drafting the standards.
- 23:26:21 [dwainberg]
- Joe, what do you mean about a treaty process? As model for doing this type of compliance standard?
- 23:27:25 [dwainberg]
- I don't think most of would like that.
- 23:28:12 [JoeHallCDT]
- I'm just trying to think of other cross-jurisdictional policy processes and that came to mind… and, I agree, no. Let's talk more offline.
- 23:28:25 [dwainberg]
- Look at some of the treaties we've seen over the last few decades.
- 23:28:33 [JoeHallCDT]
- word
- 23:28:40 [rigo]
- TLR: think the discussion having here, is a scale. David's question about process is the right question to ask. To WAI, in that area there are regulatory requirement that drive that work and influence. The line depends on that particular content. The lesson from there, there is a policy component to every standards work, sometimes more sometimes less. There are areas where the policy should happen close to the technical work. It is a useful conversation to see
- 23:28:41 [rigo]
- where the policy aspect is to technical relation, where are the lines?
- 23:28:44 [dwainberg]
- Ah.. so, yes, I see the analogy.
- 23:31:12 [rigo]
- Jeff: WAI is a success, touches on regulatory aspects. W3C does a job of doing the pieces that makes sense for the Web, but we do not do laws. Remind everyone to what we do TPE and TCS. What does that signal mean can be used by regulator. One regulator could say, we use W3C meaning, other regulators can define their own meaning
- 23:31:26 [rigo]
- ND: explaining more on what the WAI work is
- 23:32:25 [rigo]
- ... instead of defining our own or refer to WAI. Some devs get frustrated if legislator defines their own
- 23:35:31 [rigo]
- Berin: Double minded here. See Shane to stop policy, but also see what W3C tries to achieve. But stopping here would be too short. There will be regulatory effects. Companies come to table because they were bullied to the table. Want a clear framework on what to think about is. On the one hand weighing tradeoffs is policy and shouldn't be done here. But on the other hand defining meaning is part of that work. Effect will because companies will be held to their
- 23:35:33 [rigo]
- promises.
- 23:36:15 [rigo]
- ... the more there is pressure, the more we are stuck in a policy situation that doesn't work well for W3C process
- 23:37:35 [rigo]
- Jeff: could be law coming out of this, this is not our objective. WAI is interesting. Very few countries that have law saying, you should follow W3C standards.
- 23:37:46 [rigo]
- ... web standards will do whatever they will do
- 23:38:54 [rigo]
- JoeHall: if DNT would stop, what would happen? => arms race? Thought it would be lost for consumers, but think that anymore. So we look for a compromise
- 23:39:24 [rigo]
- ... beyond the context.
- 23:40:18 [rigo]
- Deirdre: Goal is to augment the web platform with building blocks. We blieve that technical tools can help integrate ...
- 23:40:50 [rigo]
- ... PICS, P3P, DNT have all that they have policy implications and have to discuss that, not limit discussion
- 23:41:19 [rigo]
- ... nobody will integrate that into interface decision
- 23:42:24 [rigo]
- ... talks about cases of ?? where interface was unclear. Those bodies will ask how are the defaults, how are you implementing it
- 23:43:18 [rigo]
- ... if you compare process of P3P and TPWG, you see evolution. Reach out to regulators, NGOs. But the last thing I would say is that we don't have a role
- 23:44:51 [rigo]
- SW: in general we are in agreement. If we look at policy we wouldn't have spec that wouldn't have impact. But prob is level of details in TPWG, has moved into the broader debate, meaning of consent, meaning of data minimization
- 23:45:35 [rigo]
- ... if you look beyond TPE , the struggle begins. Helpful to provide viewpoints. But not the appropriate for final say
- 23:45:45 [JoeHallCDT]
- JoeHallCDT has joined #privacy
- 23:45:59 [rigo]
- Deirdre: you support that or you don't support that? Defaults?
- 23:46:21 [rigo]
- SW: if silent ok, if not silent on defaults
- 23:46:36 [rigo]
- .. . if you go back in data handling, than it goes to policy side
- 23:47:08 [ShaneWiley]
- ShaneWiley has joined #privacy
- 23:47:44 [rigo]
- AlexFowler: goal of W3C to privacy. W3C be great if this expertise is taken from here and apply it in other contexts of other SDOs. Cookie Specification would have benefited from such expertise
- 23:47:54 [Arnaud]
- +1
- 23:47:59 [rigo]
- JanS: reminds people to fill in post its
- 23:48:22 [rigo]
- coffebreak:
- 23:57:25 [Zakim]
- Zakim has left #privacy