18:00 < trackbot> Date: 24 April 2017 18:01 < Bert> present+ 18:01 < Bert> RRSAgent, make minutes v2 18:01 < RRSAgent> I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html Bert 18:02 < Bert> chair: schunter 18:02 -!- mikeoneill [~mikeoneill@public.cloak] has joined #dnt 18:03 < Bert> regrets+ David Singer 18:03 -!- aleecia [~aleecia@public.cloak] has joined #dnt 18:03 < aleecia> schunter asks: is shane back? answer seems to be no. 18:04 < rvaneijk> Screenshots sent to the mailing list: https://lists.w3.org/Archives/Public/public-tracking/2017Apr/0035.html 18:04 < aleecia> schunter: discuss content & tech resolution. next step is texts and (?) 18:04 < aleecia> … 30 minutes, quick discussion of what changes and why 18:05 < aleecia> … then we discuss accept the change or not 18:05 < aleecia> … can go through call for objects process again 18:05 < aleecia> … any ? 18:05 < aleecia> … hearing none, gets started. 18:05 < aleecia> rvaneijk: can be heard :-) 18:05 < aleecia> … using screenshots seen dlist 18:06 < aleecia> … makes it easier to distringuish resources and legal grounds 18:06 < aleecia> … looked at two groups of actors. first, Rubicon, real time with network partners 18:07 < aleecia> … central Rubicon in big yellow, surrounded by nodes in the ad exchange 18:07 < aleecia> … in disucssion, would they rely on consent or not? come back to. 18:07 < aleecia> … the nodes that are still yellow in the center, resources that through referer header are pulled in and lead to analytics data for the ad exchange network 18:08 < aleecia> … header relations between resource and where the js is called from, originally a referer header or a location hearder if the request was redirected 18:08 < aleecia> … any ? on the rep of the image? 18:08 < aleecia> (trying to find it still!) 18:08 < aleecia> rvaneijk, same graph but different group of actors 18:09 -!- mikeoneill [~mikeoneill@public.cloak] has quit [Ping timeout: 180 seconds] 18:09 < aleecia> Rubicon is now in grey, the other nodes in green 18:10 < aleecia> rvanejik, API call with UID sent to sync unique id in background, which is the rubicon ad exchange in real time 18:10 < aleecia> … the cookie synching allows trading of uid’s. 18:10 < aleecia> … core of the arguement is here, around legal grounds. 18:10 < aleecia> … calling for specific information in the tracking status resource to distinguist different type of actors 18:10 < aleecia> … have the controler array to identify itself 18:11 < aleecia> … same party array, all resources could be listed if there’s an agreement signed or resources owned by controller itself (if you host on amazon type of resource (?) 18:12 < aleecia> … calling for: try to differentiate. out of band consent is important, can call for persmission for all parties as out-of-bad-consent 18:12 < aleecia> … but the networks are not listed on the publisher’s network and cannot rely on the out-of-band-consent of the publisher 18:12 < aleecia> … propose distinugishing between parties that are needed to make the real time ad exchange work, and parties that are not 18:13 < aleecia> … what is the extent of control of the publisher, do they have an agreement. or these resources are themselves (different) 18:13 < aleecia> … would help transparency 18:13 < aleecia> … will help parties that cannot rely on out of band consent 18:14 -!- wileys [~wileys@public.cloak] has joined #dnt 18:14 < aleecia> … proposal: enhance status resource with new, “other party” (name tbd) to enable publisher to list all resources they can identify that they want to ask for consent from user 18:14 < aleecia> ?: can you explain in a transaction, how to distinguish between site=wide and (?) 18:15 < aleecia> rvaneijk: publisher identifies all the resources, all the nodes. Mike’s example of LA Times, 335 resources 18:15 < schunter> 3 tiers of parties: same-party, new website-helpers, and everyone else. 18:15 < aleecia> Shane: 300 listed in Yahoo’s privacy center, can have contracts with that many parties. i think you’re trying to state a site-wide exception cannot exist, disagree. 18:16 < aleecia> … not listed as same party, since they’re 3rd party. does not require all 3rd parties be enumerated. 18:16 < aleecia> … would be those domains under publisher’s (?) 18:16 < walter> q+ 18:16 * Zakim sees walter on the speaker queue 18:16 < aleecia> rob: in EU need to enumerate. makes it hard to automate. 18:17 < aleecia> shane: not a requirement by law. this is only one technical option and could Break The Entire Standard 18:17 < aleecia> rob: trying to improve over cookie wall 18:17 < schunter> q? 18:17 * Zakim sees walter on the speaker queue 18:17 < schunter> q+ 18:17 * Zakim sees walter, schunter on the speaker queue 18:17 < aleecia> shane: consent is the same as a cookie wall. not all publishers can identify all actors 18:17 < aleecia> (cannot tpe as fast at they can argue) 18:18 < aleecia> shane: a publisher *can* know 3rd parties and this proposal breaks that 18:18 < aleecia> rob: transparency not control. additional object, why would it break the model 18:18 < aleecia> schunter: echo 18:18 < wileys> This list can be accomplilshed MANY ways 18:19 < wileys> Does not require DNT to support this outcome 18:19 -!- fielding [~fielding@public.cloak] has joined #dnt 18:19 < aleecia> … rob is saying, he believes under EU law you have to list everyone who’s collecting data. Shane, saying no, stie-wide exception is enough. Rob is saying we can implement both options. 18:19 < aleecia> … everybody who’s not a first party is still getting data should be listed 18:19 < aleecia> Shane: saying, how does the browser manage this? 18:20 < aleecia> … if a publisher says, i have a site-wide exception, provides in the TSR and does not fill out Rob’s field, what does the UA do? is this an optional field, and if optional, how does a browser handle populated or not? Rob is attempting to push more requirements on the browser and trying to avoid that 18:21 < aleecia> schunter: anything the browser should do with this or just record it? 18:21 < wileys> But that is for the browser to decide - not Rob 18:21 < aleecia> rob: browser discussion leads to ad blocking. one hand, browser not block anything. other hand, block everything except what’s consented. middle ground between ad blocking options is a consent-based middle ground that DNT can address 18:22 < aleecia> … browsers handling this info is out of scope for us. providing this info allows browsers to not break (ad networks?) 18:22 < wileys> +q 18:22 * Zakim sees walter, schunter, wileys on the speaker queue 18:22 < aleecia> … in order to let programatic ads survive rather than be blocked by default, this missing property allows browsers to 18:23 < aleecia> schunter: same party gets DNT:1 everyone else blocked, but with additional field those guys not blocked because friends of the publisher, so get special treatment 18:23 < aleecia> wileys: confounding two topics. ad blocking would not occur if all parties have consent or valid processing basis, but that’s not true. 18:24 < aleecia> … on the issue of allowing a transaction to occur, if a publisher states site-wide exception, they understand the expanse of that permission, browser should do nothing more than register when the exception occurred. can confirm after to make sure contracts and lists in place, but all browser does is send dnt:0 for the same-party domain 18:24 < aleecia> … this is how we developed the standard. 18:25 < aleecia> schunter: let’s keep ad blocking out now. 18:25 < aleecia> … browser can only send dnt:0 for everything listed in same party area and the like 18:25 < aleecia> wileys: and all parties under, all domains under xyz.com should get a dnt:0 if registered a site-wide exception. that’s how we built it to date. 18:26 < aleecia> schunter: i think rob doesn’t want to change that. if not sub-sites of yahoo, like the rubicon thing, the other nodes would not get a dnt:0 18:26 < aleecia> wileys: but my list could be on a web page. 18:27 < aleecia> … should be all domains under those registered under the first party domain 18:27 < aleecia> schunter: but then who they are is unknown 18:27 < aleecia> wileys: no requirement to list, is over-loading the TSR 18:27 < aleecia> … could manage in our privacy centers, the well-known location could hold this. attempting to make it machine readable. 18:28 < schunter> q? 18:28 * Zakim sees walter, schunter, wileys on the speaker queue 18:28 < aleecia> … some are www.adnetwork.com or adnetwork2.com, we’d have to list *all* of those on Rob’s proposal. if a domain is not listed, the brwoser should send dnt:1 even though a site-wide exception have been issued for the parent domain 18:29 < aleecia> … ask the browser, or the publisher needs to ask the end user, trying to udnerstand the full scope of interactions in Rob’s structure, breaks many of the conventions 18:29 < aleecia> rob: site-wide exception only goes as far as the parties can be identified up front, or else it’s a wild card 18:29 < aleecia> … for unknown puposes 18:29 < aleecia> … legal consent for ePriv (won’t allow that) 18:30 < fielding> I thought our goal was to move the specificaton closer to actual implementations. It sounds to me like folks want to start over with a new API and a completely different consent mechanism based on imagined implementations. I won't argue that either is a better way forward, but I will argue that we can't do teh latter on this schedule. 18:30 < fielding> s/ teh / the / 18:30 < aleecia> … if there are restrictions on stie-wide limitations, if that could lead to compliance we wouldn’t need this discussion. but most publishers cannot identify all parties up front. and yes, browser needs to decide, can be conversation with user or automatically. 18:30 < fielding> s/stie/site/ 18:30 < aleecia> … ability to express consent through browser settings is long established 18:31 < aleecia> … dnt can do so much better than current cookie settings of 1st or 3rd party, doesn’t help publisher either 18:31 < aleecia> wileys: have ability to manage individual cookies. 18:31 < aleecia> … you didn’t rebuke anything i’ve stated. 18:31 < aleecia> … pushes the browser into a legal position to arbitrate valid consent or not 18:32 < aleecia> schunter: not so clear, Shane you believe site-wide consent is dnt:0 goes to everything on yahoo.com? 18:32 < aleecia> wileys: everything underneath gets dnt:0, on purpose, today 18:34 < aleecia> … requirement to list all 1st party, so yimg.net would be on our first party list. if user grants, yahoo takes on the legal responsibility that we request and record that exception, any 3rd parties we have relationships. Rob presumes websites are unable to do this so he’s adding a new option, but we’d break how the TPE works today for a presumed problem (that Shane disagrees exists) 18:34 < aleecia> … there are many other solutions v programatically - trying to make 3rd party lists machine readable to put browsers in the 18:34 < aleecia> schunter: don’t see how it breaks anything when it’s informational. don’t agrree with your argument 18:35 < aleecia> shane: but if people populate it, then you put the browser in that position 18:35 < aleecia> schunter: don’t think so. let’s do call for objections, 18:35 < aleecia> ? : annoyed by how this is being chaired 18:35 < fielding> q? 18:35 * Zakim sees walter, schunter, wileys on the speaker queue 18:35 < wileys> Please speak 18:35 < aleecia> … ignoring the queue 18:35 < schunter> q? 18:35 * Zakim sees walter, schunter, wileys on the speaker queue 18:35 < aleecia> … shane saying outragous things about EU law 18:35 < wileys> Go ahead Walter 18:35 < schunter> ack wal 18:35 * Zakim sees schunter, wileys on the speaker queue 18:36 < schunter> ack schunter 18:36 * Zakim sees wileys on the speaker queue 18:36 < schunter> ack wil 18:36 * Zakim sees no one on the speaker queue 18:36 < aleecia> Walter: a few things. Shane is right about TPE so far, but that is because TPE so far is (unclear?) 18:36 < aleecia> … site-wide exception makes perfect sense if server believes in permission before hand 18:36 * Zakim aleecia, you typed too many words without commas; I suspect you forgot to start with 'to ...' 18:37 < wileys> That was why the site-wide exception was built in the first place - 1st parties themselves are not subject to DNT! 18:37 < aleecia> … not out-of-band consent but specific permission needs specific consent (eu law) 18:37 < aleecia> … fields that Rob proposes are a useful fit. 18:37 < wileys> Walter - you are incorrect - 1st parties are not subject to DNT - they do not need consent on their own 18:37 < aleecia> … two cases, DNT for active consent, or a server with opt out on dnt:1 and why the server thinks it has an opt out 18:38 < wileys> We REALLY need a web browser vendor on the call 18:38 < aleecia> … annoyed by the idea that browsers aren’t intermediaries, user chooses the browser. they provide infrastructure but not a part of the — ? 18:38 < aleecia> wileys: Walter wasn’t here at the start, DNT is for 3rd parties (aleecia notes: this is not true) 18:39 < aleecia> ?: first party was always a compliance spec things 18:39 < aleecia> q+ 18:39 * Zakim sees aleecia on the speaker queue 18:39 < schunter> q+ 18:39 * Zakim sees aleecia, schunter on the speaker queue 18:39 < aleecia> wileys: site-wide exceptions were created to cover 1st parties 3rd parties. 18:39 < aleecia> … we’ve forgotten the purpose of a site-wide exception 18:40 < aleecia> … the responsibility of the 1st party is to have necessary mechanisms in place before they register a site-wide exception 18:40 < schunter> I have to leave 5min earlier. 18:40 < aleecia> … once we introduce this next level of enumeration, keep your 3rd party list up to date in your TSR, even though you might have another party keeping your list of 3rd parties. yahoo lists an ad exchange lists all of their clients 18:41 < aleecia> … to get consent, give a link to the ad exchange, not this new overhead of managed lists that i don’t own 18:41 < aleecia> ? … when talking about consent for technical means, something specific, by extension you as a publisher want to prove after that there’s a trail 18:41 < schunter> Walter: Consent will be required to be specific (=well-defined list of sites). 18:41 < aleecia> … can’t see how i can square specific consent with “using this ad exchange” for all the site-wide exceptions 18:42 < aleecia> … this is not actual consent 18:42 < aleecia> shane: now we disagree on specificity, limits on use, there are other ways to gain that consent. let the court’s decide. can’t presume the outcome and force the standard 18:43 < aleecia> schunter: we aren’t going to reach consensus in 5 minutes. call for objections as usual. 18:43 < aleecia> … don’t see doing another few calls since we are not converging 18:43 < aleecia> shane: gone for 3 weeks, on honeymoon, could get further with conversation but missed calls. i’m the only person on this call representing industry 18:43 < aleecia> … only folks on the call are consuemr advocates and regulators 18:44 < aleecia> (apple????) 18:44 < aleecia> (adobe???) 18:44 < fielding> TPE is concerned with tracking, not parties; a first-party that uses tracking data is still subject to the DNT request, though they might ignore or limit the scope of DNT if the service being requested is expected by the user to involve tracking data. 18:44 < aleecia> shane: ok, but they’re not ad side for other industry voices (in response to my mention of other cos) 18:45 < aleecia> … little nervous where it’s very lopsided, lacks balance, trying to reestablish balance. mean no disrespect 18:45 < aleecia> … would rather more discussion, rather than call for objections 18:46 < aleecia> … will get other voices to participate 18:46 < aleecia> walter: train here, must go 18:46 < aleecia> … suggests more on the dlist 18:46 < fielding> I am trying to stay editor-neutral, but I do represent Adobe here. I just don't have the background to know how Adobe's various products will implement DNT. 18:46 < aleecia> schunter: ok, one more week 18:47 < aleecia> rvaneijk: we announced the call on the list, members who are dormant can participate and know 18:47 < aleecia> … we have process of announcement, allows everyone to speak if they want to 18:47 < aleecia> schunter: see Shane’s point he wasn’t here. if no consenus by one more week, will do call for objections 18:48 < aleecia> Roy: prepare text first, then we can discuss the texts 18:48 < aleecia> (+1 on that from me) 18:48 < aleecia> schunter: good point 18:48 < aleecia> q- 18:48 * Zakim sees schunter on the speaker queue 18:49 < aleecia> schunter: tracking status resource, sites have other parties, optional. don’t want to specify what browsers do. 18:49 < wileys> Correct 18:49 < aleecia> … Shane’s proposal not to change the spec with additional fields 18:49 < wileys> Walter has me nervous to speak up now 18:49 < wileys> :-) 18:49 < aleecia> … two options, Rob, please send text for your proposal 18:49 < rvaneijk> ok 18:49 < aleecia> … no change is easy to write up :-) 18:49 < walter> wileys: Heh, I wish I had that power. But no, it wasn't about you. 18:50 < aleecia> Shane — CONGRATULATIONS! 18:50 < walter> oh, yes, that too! 18:50 * wileys Thank you! 18:50 < aleecia> I hope you had a great honeymoon! 18:50 * wileys It was nice - but back to reality! 18:50 < schunter> Issue 35: Summary by Aleecia 18:50 * trackbot doesn't understand that ISSUE command. 18:51 < walter> To give users the ability to see what they agree to 18:51 < walter> One is to give the delta of what changes between dnt:0 and dnt:1 18:51 < schunter> Suggest a way to find a user-readable description of what users consent to. 18:51 < walter> The other is to explain both dnt:0 and dnt:1 18:51 < walter> The idea is to have some hook in the text 18:51 < wileys> DNT:0 = Privacy Policy — DNT:1 = Statement of what stops 18:52 < wileys> I’m fine with this proposal on “what changes” under DNT:1 as a human readable (not machine) element 18:52 < fielding> My understanding of the (Adobe) legal perspective is that we can only have one set of instructions that describes what we do in each case. Showing different text to different users is NOT an option. 18:52 < fielding> q+ 18:52 * Zakim sees schunter, fielding on the speaker queue 18:52 < walter> I'm in favour of treating DNT:0 rather differently from DNT:1 18:52 < walter> they are too different 18:53 < walter> Matthias would like to push this out to the next release 18:53 < walter> aleecia thinks it makes more sense to deal with this now 18:53 < walter> Because we don't have a baseline 18:53 < walter> People need to know what they are agreeing to 18:53 < walter> This is the fallout of not having a compliance spec 18:54 < walter> Roy feels no difference between having a compliance spec or not 18:54 < walter> Aleecia wants to prevent a billion pop-ups 18:54 < walter> Consensus on a very low burden to do this 18:55 < walter> Matthias: so what you're suggesting is a best practice? 18:55 < walter> aleecia: not even related to multiple compliance specs, it is that the user should understand what changes 18:56 < fielding> I meant that we have a Compliance array to provide a reference to how the site will comply to DNT. And we have a policy member that points to the text-for-all-cases. 18:56 < wileys> Pop-ups are going to occur no matter what now - and will likely be more of a burden for users under ePR 18:56 < fielding> q- 18:56 * Zakim sees schunter on the speaker queue 18:56 < fielding> q- sch 18:56 * Zakim sees no one on the speaker queue 18:57 < walter> will do so, then 18:57 < walter> bye! 18:57 -!- rvaneijk [~rvaneijk@public.cloak] has quit ["Page closed"] 18:57 -!- wileys [~wileys@public.cloak] has left #dnt [] 18:57 -!- aleecia [~aleecia@public.cloak] has quit [aleecia] 18:57 < fielding> present+ fielding 18:58 < fielding> rrsagent, who is attending? 18:58 < RRSAgent> I'm logging. Sorry, nothing found for 'who is attending' 18:58 < fielding> rrsagent, who is here? 18:58 < RRSAgent> I'm logging. Sorry, nothing found for 'who is here' 18:59 * fielding damn, can never remember to hicus pocus incantation 19:00 -!- Brendan [~Brendan@public.cloak] has quit ["Page closed"] 19:01 < fielding> Zakim, who is here? 19:01 < Zakim> Present: Bert, fielding 19:01 < Zakim> On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 19:02 < fielding> present+ schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst 19:02 < fielding> Zakim, who is here? 19:02 < Zakim> Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst 19:02 < Zakim> On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 19:03 < fielding> present +swiley, moneill, rvaneijk, aleecia 19:04 < fielding> present+ wileys 19:04 < fielding> Zakim, who is here? 19:04 < Zakim> Present: Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys 19:04 < Zakim> On IRC I see fielding, Zakim, RRSAgent, schunter, dsinger, wseltzer, Bert, walter, adrianba, hadleybeeman, mkwst, trackbot 19:04 < fielding> scribe: aleecia 19:05 < fielding> trackbot, status 19:05 * trackbot knows about these 64 users: Dan, Adrian, Elise, Chao, Nataliia, Bert, Neil, Rudy, Dan, Carl, Qu, Jeffrey, Amy, Mathieu, Nick, Ian, Roy, Hanrui, Sue, Alanna, Euan, Joseph, Sean, Ronan, Bin, Susan, Daniel, Jeff, Simon, Brad, Kennie, Jessica, Aleecia, Yue, Erik, Theresa, Mike, Brendan, Keith, Thomas, Matthias, Wendy, Rob, David, Kevin, Michael[tm], Bryan, Weihua, caten, Lee, Alan, Vincent, Alan, Rob, Walter, Frank, Heather, 19:05 * trackbot ... Heather, Shane, Jing, Xuemei, Yuanzhou, Yangguang, Horace 19:06 < fielding> trackbot, end meeting 19:06 * trackbot is ending a teleconference. 19:06 < trackbot> Zakim, list attendees 19:06 < Zakim> As of this point the attendees have been Bert, fielding, schunter, dsinger, wseltzer, walter, adrianba, hadleybeeman, mkwst, wileys 19:06 < trackbot> RRSAgent, please draft minutes 19:06 < RRSAgent> I have made the request to generate http://www.w3.org/2017/04/24-dnt-minutes.html trackbot 19:06 < trackbot> RRSAgent, bye 19:06 < RRSAgent> I see no action items