W3C home > Mailing lists > Public > public-tracking-commit@w3.org > February 2013

CVS WWW/2011/tracking-protection/drafts

From: CVS User jbrookma <cvsmail@w3.org>
Date: Sat, 02 Feb 2013 20:06:15 +0000
Message-Id: <E1U1jLr-0001UN-NR@gil.w3.org>
To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv5722

Added Files:
	CambridgeBareBones.html 
Log Message:
adding new file for review at Cambridge


--- /w3ccvs/WWW/2011/tracking-protection/drafts/CambridgeBareBones.html	2013/02/02 20:06:15	NONE
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/CambridgeBareBones.html	2013/02/02 20:06:15	1.1
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <title>Tracking Compliance and Scope</title>
  <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
  <script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
  <script class="remove">
    var respecConfig = {
      specStatus:          "ED",
      shortName:           "tracking-compliance",
      previousPublishDate: "2012-05-23",
      previousMaturity:    "ED",
      previousURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-20120523.html",
      edDraftURI:  "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html", 
      editors:  [
        { name: "Justin Brookman", url: "http://cdt.org/",
          company: "CDT", companyURL: "http://cdt.org/" }, 
       <!-- { name: "Sean Harvey", url: "http://google.com/", -->
       <!--   company: "Google", companyURL: "http://google.com/" }, 
       <!-- { name: "Erica Newland", url: "http://cdt.org/",
       <!--  company: "CDT", companyURL: "http://cdt.org/" }, -->
        { name: "Heather West", url: "http://Google.com/",
          company: "Google", companyURL: "http://google.com/" }, 
      ],
      wg:      "Tracking Protection Working Group",
      wgURI:   "http://www.w3.org/2011/tracking-protection/",
      wgPublicList: "public-tracking",
      wgPatentURI: "http://www.w3.org/2004/01/pp-impl/49311/status",
      issueBase:   "http://www.w3.org/2011/tracking-protection/track/issues/",
    }
  </script>
  <link rel="stylesheet" href="additional.css" type="text/css" media="screen"
        title="custom formatting for TPWG editors">
</head>
<body>
  <section id="abstract">
    <p>
      This specification defines the meaning of a Do Not Track (DNT)
      preference and sets out practices for websites to comply with this
      preference.
    </p>
  </section>

  <section id="sotd">
    <p>
      This document is a significantly streamlined version of the compliance
	  spec for discussion at the Cambridge face-to-face meeting of the
      <a href="http://www.w3.org/2011/tracking-protection/">Tracking Protection
      Working Group</a> on Feburary 11-13, 2013.  This language reflects the editors
	  effort to simplify existing text and has not been formally adopted by the
	  Working Group.  An
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/">issue
      tracking system</a> is available for recording
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/raised">raised</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/open">open</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
      <a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>,
      and <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
      issues regarding this document.
    </p>
  </section>

  <section id="introduction">
    <h2>Introduction</h2>

    <p class="note">
      The introduction will be re-worked after details of substantive text
      is closer to being finalized.
    </p>
    <!--- <p>
      The World Wide Web (WWW, or Web) consists of millions of sites
      interconnected through the use of hypertext. Hypertext provides a
      simple, page-oriented view of a wide variety of information that can be
      traversed by selecting links, manipulating controls, and supplying data
      via forms and search dialogs. A Web page is usually composed of many
      different information sources beyond the initial resource request,
      including embedded references to stylesheets, inline images,
      javascript, and other elements that might be automatically requested as
      part of the rendering or behavioral processing defined for that page.
    </p>
    <p>
      Each of the hypertext actions and each of the embedded resource
      references might refer to any site on the Web, leading to a seamless
      interaction with the user even though the pages might be composed of
      information requested from many different and possibly independent Web
      sites. From the user's perspective, they are simply visiting and
      interacting with a single brand -- the first-party Web property -- and
      all of the technical details and protocol mechanisms that are used to
      compose a page representing that brand are hidden behind the scenes.
    </p>
    <p>
      It has become common for Web site owners to collect data regarding the
      usage of their sites for a variety of purposes, including what led the
      user to visit their site (referrals), how effective the user experience
      is within the site (web analytics), and the nature of who is using
      their site (audience segmentation). In some cases, the data collected
      is used to dynamically adapt the content (personalization) or the
      advertising presented to the user (targeted advertising). Data
      collection can occur both at the first-party site and via third-party
      providers through the insertion of tracking elements on each page. A
      survey of these techniques and their privacy implications can be found
      in [[KnowPrivacy]].
    </p>
    <p>
      People have the right to know how data about them will be collected and
      how it will be used. Empowered with that knowledge, individuals can
      decide whether to allow their online activities to be tracked and data
      about them to be collected. Many Internet companies use data gathered
      about people's online activities to personalize content and target
      advertising based on their perceived interests. While some people
      appreciate this personalization of content and ads in certain contexts,
      others are troubled by what they perceive as an invasion of their
      privacy. For them, the benefit of personalization is not worth their
      concerns about allowing entities with whom they have no direct
      relationship to amass detailed profiles about their activities.
    </p>
    <p>
      Therefore, users need a mechanism to express their own preference
      regarding tracking that is both simple to configure and efficient when
      implemented. In turn, Web sites that are unwilling or unable to offer
      content without such targeted advertising or data collection need a
      mechanism to indicate those requirements to the user and allow them (or
      their user agent) to make an individual choice regarding user-granted
      exceptions.
    </p>
    <p>
      This specification defines the terminology of tracking preferences, the
      scope of its applicability, and the requirements on compliant
      first-party and third-party participants when an indication of tracking
      preference is received. This specification defines the meaning of a Do
      Not Track preference and sets out practices for websites and other
      online companies to comply with this preference.
    </p>
    <p>
      A companion document, [[!TRACKING-DNT]], defines the HTTP request
      header field DNT for expressing a tracking preference on the Web, a
      well-known location (URI) for providing a machine-readable tracking
      status resource that describes a service's DNT compliance, the HTTP
      response header field Tk for resources to communicate their compliance
      or non-compliance with the user's expressed preference, and JavaScript
      APIs for determining DNT status and requesting a site-specific,
      user-granted exception.
    </p> --->
  </section>

  <section id="scope-and-goals">
    <h2>Scope and Goals</h2>

    <p class="issue" data-number="6" title="What are the underlying concerns? Why are we doing this?">
      This section will be re-worked after details of substantive text
      is closer to being finalized.
    </p>
    <!--- <p>
      While there are a variety of business models to monetize content on the
      web, many rely on advertising. Advertisements can be targeted to a
      particular user's interests based on information gathered about one's
      online activity. While the Internet industry believes many users
      appreciate such targeted advertising, as well as other personalized
      content, there is also an understanding that some people find the
      practice intrusive. If this opinion becomes widespread, it could
      undermine the trust necessary to conduct business on the Internet. This
      Compliance specification and a companion [[!TRACKING-DNT]]
      specification are intended to give users a means to indicate their
      tracking preference and to spell out the obligations of compliant
      websites that receive the Do Not Track message. The goal is to provide
      the user with choice, while allowing practices necessary for a smoothly
      functioning Internet. This should be a win-win for business and
      consumers alike. The Internet brings millions of users and web sites
      together in a vibrant and rich ecosystem. As the sophistication of the
      Internet has grown, so too has its complexity which leaves all but the
      most technically savvy unable to deeply understand how web sites
      collect and use data about their online interactions. While on the
      surface many web sites may appear to be served by a single entity, in
      fact, many web sites are an assembly of multiple parties coming
      together to power a user's online experience. As an additional privacy
      tool, this specification provides both the technical and compliance
      guidelines to enable the online ecosystem to further empower users with
      the ability to communicate a tracking preferences to a web site and its
      partners.
    </p>
    <p>
      The accompanying
      <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a>
      recommendation explains how a user, through a user agent, can clearly
      express a desire not to be tracked. This Tracking Compliance and Scope
      recommendation sets the standard for the obligations of a website that
      receives such a DNT message.
    </p>
    <p>
      Taken together these two standards should have four substantial
      outcomes:
    </p>
    <ol start="1">
      <li>Empower users to manage their preference around the collection and
      correlation of data about Internet activities that occur on different
      sites and spell out the obligations of sites in honoring those
      preferences when DNT is enabled.</li>

      <li>Provide an exceedingly straightforward way for users to gain
      transparency and control over data usage and the personalization of
      content and advertising on the web.</li>

      <li>Enable a vibrant Internet to continue to flourish economically by
      supporting innovative business models while protecting users'
      privacy.</li>

      <li>Establish compliance metrics for operators of online services</li>
    </ol>
    <p>
      This standard has limited applicability to any practices by first
      parties, their service providers, subsidiaries, or affiliated
      companies. Under the standard, first parties may and will continue to
      collect and use data for tracking and other purposes. This standard is
      primarily directed at third parties.
    </p>
    <p>
      This solution is intended to be persistent, technology neutral, and
      reversible by the user. It aims to preserve a vibrant online ecosystem,
      privacy-preserving secondary data uses necessary to ecommerce, and
      adequate security measures. We seek a solution that is persistent,
      technology neutral, and [something that speaks with the ability to opt
      back in], but that preserves a vibrant online ecosystem,
      privacy-preserving secondary data uses, and adequate security measures.
    </p> --->
  </section>

  <section id="definitions">
    <h2>Definitions</h2>
<!--
<p class="note">The definitions section is a strawman proposal from editors
based on discussion in Seattle. Many sections are not yet consensus text.</p>
-->

    <section id="def-user">
      <h3>User</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft.</p>
-->

      <p>
        A user is an individual human. When user-agent software accesses
        online resources, whether or not the user understands or has specific
        knowledge of a particular request, that request is made "by" the
        user.
      </p>
    </section>

    <section id="def-user-agent">
      <h3>User Agent</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft, but there may be some debate on the definition.</p>
-->

      <p>
        This specification uses the term user agent to refer to any of the
        various client programs capable of initiating HTTP requests,
        including but not limited to browsers, spiders (web-based robots),
        command-line tools, native applications, and mobile apps [[!HTTP11]].
      </p>
      <p class="note">
        There has been recent discussion about whether the specification
        should differentiate among different types of users agents (such as
        general purpose browsers, add-ons, and stand-alone software
        programs), and possibly specify different compliance obligations
        depending on the type of user agent, or priority among different
        categories of user agents in the event of conflicting settings. There
        is currently no open ISSUE associated with this discussion.
      </p>
    </section>

    <section id="def-party">
      <h3>Party</h3>
<!--
<p class="note">Dsinger has asked to add something about the responsibility
following the data</p>
-->
      <!-- Justin, 2.1.13: The two definitions were so close that I just decided
	  to merge them. -->

        <p>
          A <dfn>party</dfn> is any commercial, nonprofit, or governmental
          organization, a subsidiary or unit of such an organization, or
          a person. For unique corporate entities to qualify as a common
          party with respect to this document,those entities MUST be
          commonly owned and commonly controlled and MUST
          provide easy discoverability of affiliate organizations. An
          list of affiliates MUST be provided within one click from each
          page or the entity owner clearly identified within one click
          from each page.
        </p>
      <!---  <p class="example">
          A website with a clear labeled link to the Affiliate List within
          the privacy policy would meet this requirement or the ownership
          brand clearly labeled on the privacy policy itself and may choose
          to act as a single party. --->
        </p></section>
    
<!--
A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or a person.
<br/><br/>
Functional entities are <dfn>affiliated</dfn> when they are related by both
common majority ownership and common control.
<br/><br/>
A <dfn>party</dfn> is a set of functional entities that are affiliated.

<section>
<h2>Transparency</h2>
<p class="note">This section is at best out of place, and should be in the
compliance section, not definitions.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>

<h2>Affiliated Parties</h2>
<p class="note">I changed this text to reflect that it's a definition of
affiliated parties, but should retain the requirement that an affiliated party
must be discoverable in order to be considered affiliated under this
draft.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>
</section> 
</section>

    </section> --->

    <section id="def-service-providers">
      <h4>Service Providers/Outsourcers</h4>

      <p class="note">
       We do not expect outsourcing to be a major topic of discussion at the
	   Cambridge face-to-face, so this definition is suggested as a
	   placeholder. Some working group participants have argued for more
	   prescriptive rules to qualify as a service provider.
      </p>
	  
	  Outsourced service providers are considered to be the same party as their
	  clients if the outsourced service providers only act as data processors on
	  behalf of that party in relation to that party, silo the data so that it
	  cannot be accessed by other parties, and have no control over the use or
	  sharing of that data except as directed by that party. 
	  
	  <!--- Justin, 2.1.13: I could not just comment out three options, so I
	  deleted them entirely.  However, we can find them in previous drafts if
	  necessary. --->
	  
	  <p> </p>
<!--  <p class="note">Ensure that third party can act as a third party,
      or as a first party within section</p>
      <p class="note">hwest to propose an alternative definition of first
      party (based on ownership? alternative to inference?) [recorded in
      http://www.w3.org/2012/07/11-dnt-minutes.html#action01]</p>
-->

    </section>

    <section id="first-third-parties">
      <h3>First and Third Parties</h3>

      <section class="option" id="def-first-third-parties-opt-1">
        <h4>Option 1: User Intention to Communicate</h4>

   

          <p>
            A <dfn>first party</dfn> is any <a>party</a>, in a specific
            <a>network interaction</a>, that can infer with high probability
            that the user knowingly and intentionally communicated with it.
            Otherwise, a party is a third party.
          </p>
          <p>
            A <dfn>third party</dfn> is any <a>party</a>, in a specific
            <a>network interaction</a>, that cannot infer with high
            probability that the user knowingly and intentionally
            communicated with it.
          </p>
 

    <!---    <section class="informative">
          <h2>Discussion</h2>


[1303 lines skipped]
Received on Saturday, 2 February 2013 20:06:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 2 February 2013 20:06:18 GMT