Agenda for 22 August 2012 call

Chair:		Aleecia
Main topic:	We began work on issues on the Aug 1 and 8th calls without resolution in some cases. 

---------------------------
Administrative
---------------------------

1. 	Selection of scribe

---------------------------
Old business
---------------------------

2.  	Review of overdue action items:  http://www.w3.org/2011/tracking-protection/track/actions/overdue?sort=owner

3.	Quick check that callers are identified

4.	Reminder: polling on choices offered by UA open one more week,  https://www.w3.org/2002/09/wbs/49311/tripart/

---------------------------
New business
---------------------------

5.	Some very familiar looking new business...

	(a) ISSUE-45	PENDING REVIEW	Companies making public commitments with a "regulatory hook" for US legal purposes
		HISTORY: we had the previous text:
			"In order to be in compliance with this specification, a third party must make a public commitment that it complies with this standard. A "public commitment" may consist of a statement in a privacy policy, a response header, a machine-readable tracking status resource at a well-known location, or any other reasonable means. This standard does not require a specific form of public commitment."
		On the 8 Aug call, Roy pointed out a response is now mandatory, making the text above out-of-date and incorrect. His counter-suggestion was:
			"An origin server MUST make a public commitment that it complies with this standard through the provision of a site-wide tracking status resource [[!TRACKING-DNT]]."
		We ran out of time on the call. 
		PROPOSAL: The Compliance editors add Roy's text and we close issue-45.


	(b) Third parties should be prohibited from acting or representing themselves as first parties. (ISSUE-123)
ACTION-116 on Thomas Lowenthal
	Original text: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0618.html
	Proposed edit: http://lists.w3.org/Archives/Public/public-tracking/2012Mar/0126.html
	HISTORY: From the Aug 1 call, the basic concern is that the language in the draft assumes parties will always and forever, in all cases, know what party they are despite the 1st and 3rd party definitions in the Compliance document that make it clear that is not the case. [We do have some debate over that text as well, which will need to be resolved, but that is another issue, specifically issue-60.] Other concerns arose, but the major and persistent concern was a use case where someone has content embedded in someone else's iFrame, is not aware they are 3rd and not 1st party, and has negative consequences through no action of their own.
	New suggestions for this text include using the phrase "knowingly represent," limiting the scope to just be about DNT responses, and adding language that this text does not suggest it is ok to misrepresent elsewhere ("This section is not intended to allow or prohibit any practices other than those explicitly addressed.")
	We agreed service providers will need to be integrated with this text, and are not currently.
	We did not discuss but might consider if examples in non-normative text could help clarify here. An example that specifically addresses iFrames seems apropos. That might help address the substantive concerns.
	David Singer took action-233 to draft text to add similar intent to the TPE document, but after further reflection, closed the issue. No one was interested in taking it up from David. 
	Tom Lowenthal was uninterested in updating his text to address concerns raised on the call, as he believes the text addresses them as-is. 
	 PROPOSAL: one of two paths. 
		- Someone steps forward to offer a revised text that might address the primary concern raised. We review that text, and if it is now acceptable, we adopt. If there is still a split of strong opinions, we apply the decision process and call for objections.
		- If no one is interested in doing five minutes of further work on the action-161 text, we close it for lack of interest.

	(c) Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? (ISSUE-49)
ACTION-161 on Shane Wiley: work on issue-49
	Current text is in the body of the action: http://www.w3.org/2011/tracking-protection/track/actions/161
	HISTORY: we learned on the Aug 1 call that Shane intends this as a replacement for current text around service providers.
	Shane was to revise his prior text to reflect suggestions from the Aug 1 call, which included:
		Changing "operate as a First Party" to "operate under the rules for a first party" to clarify service providers have additional restrictions 
		Renaming this section to "Service Provider"
		Updating to reflect there may be third parties on behalf of third parties, not just on behalf of first parties
	With the conclusion of Shane's edits, we will discuss this text on the call. 
	Expected outcomes: 
 		- We acknowledged on the Aug 1 call that these proposals are likely to go through the decision process with a call for objections. We need alternatives we can adopt into the document.
		- Either we agree Shane's text is now complete, or there is another action item for any additional edits
		- The current text in the drafts is dated and does not reflect third parties acting on behalf of third parties. This suggests an action to update that text as well. 
		- Once texts are complete, we compare them side-by-side

Note that the remaining topics were on a prior agenda (or two, in some cases) but we ran out of time and did not take them up:

	(d) ISSUE-64		POSTPONED	How does site-preference management work with DNT	
		See the summary box in the issue (http://www.w3.org/2011/tracking-protection/track/issues/64) -- this was about setting cookies that have non-identifiable information, for example, the user's default language. I believe we are unanimous in agreeing this is fine and does not require consent under DNT, provided the pool of users is large enough, though we are not quite agreed on final language, though pretty close.
		PROPOSAL: Move this from "postponed" to "open", and rename to "How do we describe non-identifiable data" to reflect the state of the conversation.

	(e) ACTION-208 on Ian Fette: Draft a definition of DNT:0 expression -- issue-148
	Text under discussion (after a few edits): http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0314.html
		Suggestion for addition http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0421.html which may not work: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0428.html
	Counter-proposal: http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0313.html

	(f) Specify "absolutely not tracking" (ISSUE-119)
	ACTION-110 on Ninja Marnau: Write proposal text for what it means to "not track"
	Text: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0362.html
	Counter-proposal from Roy: http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0403.html
	Several people suggested changes, mostly "let's call this something other than 'not tracking' please." One suggestion there: "Exceeds the compliance standard and does not collect and retain any data"

	Buried in this discussion was David Singer's attempt to define tracking: "Tracking is the retention or use, after a transaction is complete, of data records that are, or can be, associated with a single user." (I'd append: ", user agent, or device.")   Unlike every other time someone has made the attempt, the one and only reply was in support. Does that mean we can live with this? [Note that issue-5 is currently raised]


---------------------------

6. 	Announce next meeting & adjourn

================ Infrastructure =================

Zakim teleconference bridge:
VoIP:    sip:zakim@voip.w3.org
Phone +1.617.761.6200 passcode TRACK (87225)
IRC Chat: irc.w3.org, port 6665, #dnt

*****

Received on Tuesday, 21 August 2012 16:58:51 UTC