W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2010

Re: do not track list?

From: Mischa Tuffield <mischa.tuffield@garlik.com>
Date: Fri, 19 Nov 2010 12:23:36 +0000
Cc: Rigo Wenning <rigo@w3.org>, "Chappelle, Kasey, VF-Group" <Kasey.Chappelle@vodafone.com>, "Thomas Roessler" <tlr@w3.org>, public-privacy@w3.org
Message-Id: <11D2194C-8AB0-4371-99E8-C3F0AD88EE60@garlik.com>
To: Karl Dubost <karld@opera.com>
Hi All, 

Apologies if this is common knowledge, but on the topic of tracking AT&T's Bala [1] has done some excellent work, with eye-opening stats about personal information leakage, via cookies, referrer headers, and cookies. 

The only way around these issues seems to be, as suggested a "do-not-track-me" type header, along with social pressures to ensure people abide by it. 

Mischa *2 pence worth

[1] http://www2.research.att.com/~bala/papers/
On 18 Nov 2010, at 11:39, Karl Dubost wrote:

> Le 18 nov. 2010 à 06:07, Rigo Wenning a écrit :
>> the ID allows you to put a magnifying 
>> glass on this one user in the middle of the crowd whatever the context is. And our computers are powerful enough to keep the focus on that one individual. 
> Yes saying same thing here ;). 
> "keep the focus" = time density context in aggregation.
>> And here the "no tracking" does something very intelligent. It is a message 
>> from the user to the service. "Do not track me". And the service can honor the  request from the user.. or not.
> That is a good thing.
> Agreed but that will make plenty of Web services unusable, exactly the same way than when you remove Javascript and Cookies. I'm not saying it should not be done, just that you have to be ready for the consequences. 
> Granularity is hard to manage (contexts). [I have done a few longterm real experiments for this with js/cookies.]
>> So there is a combination of how a protocol is designed and what legal 
>> consequences can be derived from a protocol. 
> I think the strong side of the stick must be on the other side but that might be even harder to achieve. P3P relies on people with the interests to do the right thing. Socially, it never flies very far, except if there are strong penalties in return. The network is distributed, then systems relying on central authority will be harder to put in place. 
> See the mail for example, there are quite a number of laws in place, but the best way to fight the spam is on the receiver side. Eventually we will evolve to a system where you can receive mails only from people you know (whitelisting). There might be one reason why people like instant messaging/microblogging. Easier to control the spam.
> In my experiment with the indexing of my server content by external entities, I have realized the same thing. The only way to effectively enforce a "do not index my content" is to
>    "block and not say", 
> which is different from 
>    "say to not block".
> So yes the protocol has to be carefully design for helping the user to just block things. So instead of do not track me, there should be a do not send anything (user agent, font, screen size). 
> But then we are back to the initial point, certain sites are becoming not usable and granularity is hard to manage. Maybe we are asking the question the wrong way. Does it matter that we are tracked? We are all the time in the physical world. What are our values with regards to this tracking? What are our abilities to escape it, in which ways? 
> If people have read until here ;) Do this exercise today:
> 	In the *physical* world today or tomorrow, 
> 	write down when you have been identified,
> 	Imagine what you could have done (or not)
> 	for not being identified. What made you 
> 	traçable?
> "Do not track me" is far too wide in scope to lead to any good results. 
> * Identifying
> * Aggregating
> * Forgetting
> -- 
> Karl Dubost - http://dev.opera.com/
> Developer Relations & Tools, Opera Software

Mischa Tuffield PhD
Email: mischa.tuffield@garlik.com
Homepage - http://mmt.me.uk/
Garlik Limited, 1-3 Halford Road, Richmond, TW10 6AW
+44(0)845 652 2824  http://www.garlik.com/
Registered in England and Wales 535 7233 VAT # 849 0517 11
Registered office: Thames House, Portsmouth Road, Esher, Surrey, KT10 9AD

Received on Friday, 19 November 2010 12:24:22 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:23:52 UTC