DNT:Agenda for April 3 call with updated text

Wednesday call April 3, 2013 – updated text included here

---------------------------
Administrative

Chair:  Peter Swire
---------------------------

1.  Confirmation of scribe – glad to accept volunteer  -- no volunteer thus far.

2.  Offline-caller-identification:
If you intend to join the phone call, youmusteither associate your phone number with your IRC username once you've joined the call (command: "Zakim, [ID] is [name]" e.g., "Zakim, ??P19 is schunter" in my case), or let Nick know your phone number ahead of  time. If you are not comfortable with the Zakim IRC syntax for associating your phone number, please email your name and phone number to npdoty@w3.org<mailto:npdoty@w3.org>. We want to reduce (in fact, eliminate) the time spent on the call identifying phone numbers. Note that if your number is not identified and you do not respond to off-the-phone reminders via IRC, you will be dropped from the call.

---------------------------
Compliance Spec
---------------------------

[Note -- Alan Chapell has now circulated proposed text on user eduation/user interface, to consider next Wednesday.]

3.  ACTION-368: Service Provider.  Seek to get to Pending Review – Stable.

Chris Pedigo circulated this updated definition on April 3:

Outsourced service providers are considered to be the same party as their clients:
         - if the outsourced service providers act as data processors on behalf of that party,
         - ensure that that the data can only be accessed and used as directed by thatparty,
         - have no independent right to use or share the data except as necessary to ensure the integrity,      security, and correct operation of the service being provided, and
         - have a contract in place that outlines and mandates these requirements.

His last round of text: http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0057.html.

4. ACTION-373: Append.  Text proposed byJohn Simpson and Alan Chapell, with concurrence by Jeff Chester.
Normative:
When DNT:1 is received:
-- A 1st Party MUST NOT combine or otherwise use identifiable data received from another party with data it has collected while a 1st Party.
-- A 1st Party MUST NOT shareidentifiable data with another party unless the data was provided voluntarily by the user and is necessary to complete a business transaction with the user.
-- A  Party MUST NOT usedata gathered while a 1st Party when operating as a 3rd Party.
Non-Normative:
When DNT:1 is received, a 1st Party retains the ability to customize content, services, and advertising only within the context of the first party experience. A 1st party takes the user interaction outside of the 1st party experience if it receives identifiabledata from another party and uses that data for customization of content, services, or advertising.
When DNT:1 is received the 1st Party may continue to utilize user provided data in order to complete or fulfill a user initiated business transaction such as fulfilling an order for goods or a subscription.
When DNT:1 is received and a Party has become a 3rd Party it is interacting with the user outside of the 1st Party experience.  Using data gathered while a 1st party is incompatible with interaction as a third party.

Chris Pedigo gave five examples on data append in September, 2012, which are useful to consider in light of the proposed language:
http://www.w3.org/2011/tracking-protection/track/actions/229

5.  ACTION-376:  First Party and Multiple First Parties.  Seek to get to Pending Review – Stable.

Revised proposed language April 2, from Rob Sherman and Justin Brookman, on multiple first parties:

In most network interactions, there will be only one first party with which the user intends to interact.  However, in some cases, a network resource will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessingthat resource.  User understanding that multiple parties operate a particular resource could be accomplished through inclusion of multiple parties' brands in a URI, or prominent branding on the resource indicating that multiple parties are responsible for content or functionality on the resource with which a user reasonably would expect to interact by accessing the resource.  Simple branding of a party that merely serves as a service provider to the single entity providing a resource will not be sufficient to make that party a first party in any particular network interaction.
We've also discussed an example (text to be finalized, but draft offered for context) to illustrate this:

EXAMPLE:  Example News operates a news website, News.com.  Example Analytics measures usage of News.com and provides Example News with aggregate data regarding that usage.  News.com is branded with the News.com logo, but the homepage also includes an indication that the website is "powered by Example Analytics."  Despite this branding, only Example News would be a first party.

6.  ACTION-371: De-identification. There has been considerable discussion on the list.  Chair’s idea to consider – have a conference/symposium/published volume that pulls together the Working Group’s efforts here.


Dan Auerbach proposed text on de-identification:

Normative text:

Data can be considered sufficiently de-identified to the extent that it has been deleted, modified, aggregated, anonymized orotherwise manipulated in order to achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular user, user agent, or device.

Non-normative text:
Example 1. In general, using unique or near-unique pseudonymous identifiers to link records of a particular user, user agent, or device within a large data set does NOT provide sufficient de-identification. Even absent obvious identifiers such as names, email addresses, or zip codes, there are many ways to gain information about individuals based on pseudonymous data.
Example 2. In general, keeping only high-level aggregate data across a small number of dimensions, such as the total number of visitors of a website each day broken down by country (discarding data fromcountries without many visitors), would be considered sufficiently de-identified.
Example 3. Deleting data is always a safe andeasy way to achieve de-identification.
Remark 1. De-identification is a property of data. If data can be considered de-identified according to the “reasonable level of justified confidence” clause of (1), then no data manipulation process needs to take place in order to satisfy the requirements of (1).
Remark 2. There are a diversity of techniquesbeing researched and developed to de-identify data sets [1][2], and companies are encouraged to explore and innovate new approaches to fit their needs.
Remark 3. It is a best practice for companies to perform “privacy penetration testing” by having an expert with access to the data attempt to re-identify individuals or disclose attributes about them. The expert need not actually identify or disclose the attribute of an individual, but if the expert demonstrates how this could plausibly be achieved by joining the data set against other public data sets or private data sets accessible to the company, then the data set in question should no longer be considered sufficiently de-identified and changes should be made to provide stronger anonymization for the data set.
[1] https://research.microsoft.com/pubs/116123/dwork_cacm.pdf
[2] http://www.cs.purdue.edu/homes/ninghui/papers/t_closeness_icde07.pdf


Roy Fielding proposed variation on Auerbach:

“Data can be considered sufficiently de-identified if there exists a reasonable level of confidence that the data cannot be used to identify a particular user, user agent, or device.”


7.  ACTION-372, service providers and debugging.  David Wainberg has submitted text, with Jonathan Mayer comments on the list.
6.1.1.2.7 Debugging
Information may be collected, retained and used for identifying and repairing errors that impair existing intended functionality.
Non-normative addition:
This provision includes use of data by service providers from across multiple clients simultaneously for the limited purpose of system debugging.
http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0174.html

8.  Announce next meeting & adjourn


================ Infrastructure =================

Zakim teleconference bridge:
VoIP:    sip:zakim@voip.w3.org<file://localhost/sip/zakim@voip.w3.org>
Phone +1.617.761.6200 passcode TRACK (87225)
IRC Chat: irc.w3.org<http://irc.w3.org/>, port 6665, #dnt

*****

Received on Wednesday, 3 April 2013 15:47:04 UTC