from September 2011 by subject

1st Tracking Protection WG F2F - Cambridge, USA - 21-22 September 2011

[Minutes] Tracking Protection WG Teleconference 14 & 16 September 2011

[proposal] Template for communicating our issues

A few input document suggestions

Agenda for 2011-09-28 TPWG call

AW: updated agenda for tomorrow

Comments on Web Tracking Protection W3C Member Submission 24 February 2011

Conference call invitation: 14 September at 8 am Pacific / 11 am Eastern / 17:00 Central European

Deliverables to be edited Re: Agenda for 2011-09-28 TPWG call

f2f for remote attendees

Facebook tracking

Further input document suggestions

ISSUE-10: What is a first party? As an example, CBS and C|Net are the same company but visually distinct websites/brand, is this a first party relationship?

ISSUE-11: Document a longer list of use cases -- what's going on today

ISSUE-12: How does tracking require relation to unique identities, pseudonyms, etc.?

ISSUE-13: What are the requirements for DNT on apps/native software in addition to browsers?

ISSUE-14: How does what we talk about with 1st/3rd party relate to European law about data collector vs data processor?

ISSUE-15: What special treatment should there be for children's data?

ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)

ISSUE-17: Data use by 1st Party

ISSUE-18: Collection definition (not sure I said the prefix before?)

ISSUE-19: Data collection / Data use (3rd party)

ISSUE-1: Example issue to be closed, so people can see what an issue looks like.

ISSUE-20: Different types of data, what counts as PII, and what definition of PII

ISSUE-21: Enable external audit of DNT compliance

ISSUE-22: Still have "operational use" of data (auditing of where ads are shown, impression tracking, etc.)

ISSUE-23 and ISSUE-34 (exemption for analytics and exemption for aggregate analytics)

ISSUE-23: Possible exemption for analytics

ISSUE-24: Possible exemption for fraud detection and defense

ISSUE-25: Possible exemption for research purposes

ISSUE-26: Providing data to 3rd-party widgets -- does that imply consent?

ISSUE-27: "opt back in"

ISSUE-27: Mechanism to revoke Do Not Track for specific entities (maybe I really like Google), "opt back in"

ISSUE-28: Exception for mandatory legal process

ISSUE-29: Tracking that may be required by law enforcement

ISSUE-2: What is the meaning of DNT (Do Not Track) header?

ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?

ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)

ISSUE-32: Sharing of data between entities via cookie syncing / identity brokering

ISSUE-33: Complexity of user choice (are exemptions exposed to users?)

ISSUE-34: Possible exemption for aggregate analytics

ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?

ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?

ISSUE-37: Granularity could be as complex as something P3P-style, based on business types and uses

ISSUE-38: Granularity for different people who share a device or browser

ISSUE-39: Tracking of geographic data (however it's determined, or used)

ISSUE-3: What is the granularity of the choice we expect users to make?

ISSUE-40: Enable Do Not Track just for a session, rather than being stored

ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)

ISSUE-42: Feedback to the user from the browser when Do Not Track is turned on

ISSUE-43: Sites should be able to let the user know their options when they arrive with Do Not Track

ISSUE-44: Ability to measure/detect who is honoring Do Not Track at a technical level

ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes

ISSUE-46: Enable users to do more granular blocking based on whether the site responds honoring Do Not Track

ISSUE-47: Should the response from the server point to a URI of a policy (or an existing protocol) rather than a single bit in the protocol?

ISSUE-48: Response from the server could both acknowledge receipt of a value and (separately) whether the server will honor it

ISSUE-49: Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party?

ISSUE-4: What is the default? Is this an opt-in or an opt-out?

ISSUE-50: Are DNT headers sent to first parties?

ISSUE-51: Should 1st party have any response to DNT signal

ISSUE-52: What if conflict between opt-out cookie and DNT?

ISSUE-53: How should opt-out cookie and DNT signal interact?

ISSUE-54: Can first party provide targeting based on registration information even while sending DNT

ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?

ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?

ISSUE-57: What if an opt-out cookie exists but an "opt back in" out-of-band is present?

ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?

ISSUE-59: Should the first party be informed about whether the user has sent a DNT header to third parties on their site?

ISSUE-5: What is the definition of tracking?

ISSUE-60: Will a recipient know if it itself is a 1st or 3rd party?

ISSUE-61: A site could publish a list of the other domains that are associated with them

ISSUE-62: The browser or embedding site could send an architectural signal to an embedded iframe so it knows it's in a 3rd-party context

ISSUE-63: Should there be a popup dialog or something like that which should override DNT?

ISSUE-64: How does preference management work with DNT

ISSUE-65: How does logged in and logged out state work

ISSUE-66: Can user be allowed to consent to both third party and first party to override general DNT?

ISSUE-67: Should opt-back-in be stored on the client side?

ISSUE-68: Should there be functionality for syncing preferences about tracking across different browsers?

ISSUE-69: Should the spec say anything about minimal notice? (ie. don't bury in a privacy policy)

ISSUE-6: What are the underlying concerns? Why are we doing this / what are people afraid of?

ISSUE-70: Does a past HTTP request with DNT set affect future HTTP requests? (expiration)

ISSUE-71: Does DNT also affect past collection or use of past collection of info?

ISSUE-72: Basic principle: independent use as an agent of a first party

ISSUE-73: In order for analytics or other contracting to count as first-party: by contract, by technical silo, both silo and contract

ISSUE-74: Are surveys out of scope?

ISSUE-75: How co companies claim exemptions and is that technical or not?

ISSUE-76: Should a server echo the DNT header to confirm receipt?

ISSUE-77: How does a website determine if a first or third party and should this be included in the protocol?

ISSUE-78: What is the difference between absence of DNT header and DNT = 0?

ISSUE-79: Should a server respond if a user sent DNT:0?

ISSUE-7: What types of tracking exists, and what are the use cases for these types of tracking?

ISSUE-80: Instead of responding with a Link: header URI, does it make sense to use a well-known location for this policy?

ISSUE-81: Do we need a response at all from server?

ISSUE-82: Should the DNT header be extensible with additional parameters?

ISSUE-83: How do you opt out if already opted in?

ISSUE-84: Do we need a JavaScript API / DOM property for client-side js access to Do Not Track status?

ISSUE-85: DOM property and its access generally and specifically to web apps

ISSUE-86: Do we have general extensibility capability for header response?

ISSUE-87: Should there be an option for the server to respond with "I don't know what my policy is"

ISSUE-8: How do we enhance transparency and consumer awareness?

ISSUE-9: Understand all the different first- and third-party cases.

More details for tomorrow AM

Opera URL Filter API

Overflow call: 16 September at 8 am Pacific / 11 am Eastern / 17:00 Central European

quick test, ignore

tracking-ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content [Tracking Preference Expression Definitions and Compliance]

updated agenda for tomorrow

URL Filter List file format

Welcome to Matthias, co-chair

Welcome to the mailing list

Last message date: Friday, 30 September 2011 01:48:02 UTC