W3C home > Mailing lists > Public > public-dntrack-contrib@w3.org > January 2012

Re: W3C Community Group Final Draft

From: Lee Tien <tien@eff.org>
Date: Mon, 9 Jan 2012 09:54:14 -0800
Cc: public-dntrack-contrib@w3.org
Message-Id: <9B749042-45FB-4F1A-AA77-27438CEFC4B1@eff.org>
To: Jeremy Malcolm <jeremy@ciroap.org>
Great!

We will be trying to keep up to date.  Drafts have been trickling in.   
Here is one that we like in general outline -- but in the Final Draft  
said we had not studied in detail.  My plan is to supplement our  
response to catch developments between this Final Draft and the  
Brussels meeting.

Lee


Begin forwarded message:

> Resent-From: public-tracking@w3.org
> From: Rigo Wenning <rigo@w3.org>
> Date: January 9, 2012 8:59:19 AM PST
> To: public-tracking@w3.org
> Cc: David Singer <singer@apple.com>
> Subject: Re: issues 23 and 34, happy new year's initial text for  
> all...
>
> David,
>
> I like your suggestion. We should ask Rob about it as I think the  
> restrictions
> even match the definition of a data processor under the EU  
> Directive, thus
> giving the entire responsibility to the first party (data controller  
> in EU
> talk)
>
> Can we resolve?
>
> Rigo
>
> On Tuesday 03 January 2012 15:18:30 David Singer wrote:
>> Issue number: 23
>>
>> Issue name: Possible exemption for analytics
>> Suggested retitle: Possible exemption for outsourcing
>>
>> Issue URL:
>>  http://www.w3.org/2011/tracking-protection/track/issues/23
>>
>> Section number in the FPWD: 3.4 Types of Tracking
>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan  
>> Mayer
>>
>> Specification:
>> A third-party site may operate as a first-party site if all the  
>> following
>> conditions hold: the data collection, retention, and use, complies  
>> with at
>> least the requirements for first-parties; the data collected is  
>> available
>> only to the first party, and the third party has no independent  
>> right to
>> use the data; the third party makes commitments to adhere to this  
>> standard
>> in a form that is legally enforceable (directly or indirectly) by  
>> the first
>> party, individual users, and regulators; data retention by the  
>> third party
>> must not survive the end of this legal enforceability; the third  
>> party
>> undertakes reasonable technical precautions to prevent collecting  
>> data that
>> could be correlated across first parties.
>>
>> Non-normative Discussion:
>> The rationale for rule (2) is that we allow the third party to  
>> stand in the
>> first party’s shoes – but go no further.  The third party may not  
>> use the
>> data it collects for “product improvement,” “aggregate analytics,”  
>> or any
>> other purpose except to fulfill a request by a first party, where the
>> results are shared only with the first party.
>>
>> Rule (3) allows for the possibility of more than one level of  
>> outsourcing.
>>
>> In rule (4), one component of reasonable technical precautions will  
>> often be
>> using the same-origin policy to segregate information for each  
>> first-party
>> customer.
>>
>> Note that any data collected by the third party that is used, or  
>> may be
>> used, in any way by any party other than the first party, is  
>> subject to the
>> requirements for third parties.
>>
>> Example:
>> ExampleAnalytics collects analytic data for ExampleProducts Inc..  It
>> operates a site under the DNS analytics.exampleproducts.com. It  
>> collects
>> and analyzes data on visits to ExampleProducts, and provides that  
>> data
>> solely to ExampleProducts, and does not access or use it itself.
>>
>> Text that possibly belongs in other sections:
>> When the third party sends a response header, that header must  
>> indicate that
>> that they are a third party and that they are operating under this
>> exception. Note that a third party that operates under a domain  
>> name or
>> other arrangement that makes it appear to the user as if they are  
>> the first
>> party, or a part or affiliate of the first party, is nonetheless a  
>> third
>> party and is subject to the requirements of this clause ("DNS
>> masquerading").
>>
>>
>>
>> Issue number: 34
>> Issue name: Possible exemption for aggregate analytics
>> Suggested retitle: Possible exemption for unidentifiable data
>>
>> Issue URL:
>>  http://www.w3.org/2011/tracking-protection/track/issues/34
>>
>> Section number in the FPWD: 3.4 Types of Tracking
>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan  
>> Mayer
>>
>> Specification:
>> A third party may collect, retain, and use any information from a  
>> user or
>> user agent that, with high probability, could not be used to: 1)  
>> identify
>> or nearly identify a user or user agent; or
>> 2) correlate the activities of a user or user agent across multiple  
>> network
>> interactions.
>>
>> Examples:
>> 1. A third-party advertising network records the fact that it  
>> displayed an
>> ad. 2. A third-party analytics service counts the number of times a  
>> popular
>> page was loaded.
>>
>> Non-Normative Discussion:
>> This exception (like all exceptions) may not be combined with other
>> exceptions unless specifically allowed.  A third party acting  
>> within the
>> outsourcing exception, for example, may not make independent use of  
>> the
>> data it has collected even though the use involves unidentifiable  
>> data.  A
>> rule to the contrary would provide a perverse incentive for third  
>> parties
>> to press all exceptions to the limit and then use the collected  
>> data within
>> this exception. A potential ‘safe harbor’ under this clause could  
>> be to
>> retain only aggregate counts, not per-transaction records.
>>
>> Text that possibly belongs elsewhere:
>> Possible advances in de-anonymization that make previously non- 
>> identifiable
>> data, identifiable, should be considered. [Maybe need an issue: whose
>> problem is it when data from disparate sources, all but one of  
>> which are
>> anonymous, is combined to achieve de-anonymization?]
>



On Jan 8, 2012, at 11:49 PM, Jeremy Malcolm wrote:

> On 09/01/12 12:59, John Simpson wrote:
>>
>> http://www.w3.org/2012/01/CommunityDNT-1.8.2012.doc
>>
>> You can find the Tracking Preference Expression and Tracking Scope  
>> and Compliance documents here:
>>
>> http://www.w3.org/2011/tracking-protection/
>>
>> Please let us know if you have any comments or concerns and whether  
>> you can sign on by noon ET Tuesday. Remember, you don't have to  
>> agree with everything in this.  This is meant to be a consensus of  
>> our community group and we have noted differing views where  
>> appropriate.
>
> Good job, I agree.
>
> -- 
> Dr Jeremy Malcolm
> Project Coordinator
> Consumers International
> Kuala Lumpur Office for Asia-Pacific and the Middle East
> Lot 5-1 Wisma WIM, 7 Jalan Abang Haji Openg, TTDI, 60000 Kuala  
> Lumpur, Malaysia
> Tel: +60 3 7726 1599
>
> The global voice for consumers: www.consumersinternational.org
> Connect with CI: Twitter @ConsumersInt | http://www.facebook.com/consumersinternational
> Help CI stay in touch: please also add ConsumersInternational@sut1.co.uk 
>  to your safe sender list
>
> Read our email confidentiality notice. Don't print this email unless  
> necessary.
>
Received on Monday, 9 January 2012 17:55:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 January 2012 17:55:26 GMT