- From: CVS User npdoty <cvsmail@w3.org>
- Date: Fri, 21 Jun 2013 00:49:01 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv16175
Modified Files:
tracking-compliance.html
Log Message:
updating editors' draft to work off of june draft
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/04/29 08:00:44 1.94
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/06/21 00:49:01 1.95
@@ -1,29 +1,14 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
- <title>Tracking Compliance and Scope</title>
+ <title>Tracking Compliance and Scope - June Draft</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
<script class="remove">
var respecConfig = {
- specStatus: "ED",
+ specStatus: "unofficial",
shortName: "tracking-compliance",
- previousPublishDate: "2012-10-30",
- previousMaturity: "ED",
- previousURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-20121030.html",
- edDraftURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html",
- editors: [
- { name: "Justin Brookman", url: "http://cdt.org/",
- company: "CDT", companyURL: "http://cdt.org/" },
- { name: "Heather West", url: "http://Google.com/",
- company: "Google", companyURL: "http://google.com/" },
- { name: "Sean Harvey", url: "http://google.com/",
- company: "Google", companyURL: "http://google.com/",
- note: "until June 2012" },
- { name: "Erica Newland", url: "http://cdt.org/",
- company: "CDT", companyURL: "http://cdt.org/",
- note: "until May 2012" },
- ],
+ editors: [],
wg: "Tracking Protection Working Group",
wgURI: "http://www.w3.org/2011/tracking-protection/",
wgPublicList: "public-tracking",
@@ -42,934 +27,416 @@
preference.
</p>
</section>
-
- <section id="sotd">
- <p>
- This document is a significantly streamlined version of the compliance
- spec that was discussed at the Cambridge face-to-face meeting of the
- <a href="http://www.w3.org/2011/tracking-protection/">Tracking Protection
- Working Group</a> on Feburary 11-13, 2013. This language reflects the editors
- effort to simplify existing text and has not been formally adopted by the
- Working Group. An
- <a href="http://www.w3.org/2011/tracking-protection/track/issues/">issue
- tracking system</a> is available for recording
- <a href="http://www.w3.org/2011/tracking-protection/track/issues/raised">raised</a>,
- <a href="http://www.w3.org/2011/tracking-protection/track/issues/open">open</a>,
- <a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
- <a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>,
- and <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
- issues regarding this document.
- </p>
- </section>
-
- <section id="introduction">
- <h2>Introduction</h2>
- <p class="note">
- The introduction will be re-worked after details of substantive text
- is closer to being finalized.
- </p>
- </section>
-
<section id="scope-and-goals">
- <h2>Scope and Goals</h2>
+ <h2>Scope</h2>
- <p>This specification is designed to provide users a simple machine-readable
- preference expression mechanism to globally or selectively allow or limit
- online tracking.</p>
- <p>"Tracking" is understood by this standard as the collection and
- retention of data across multiple parties' domains or services in a form
- such that it can be attributed to a specific user, user agent, or device.</p>
- <p class="note">The scope language is not at consensus, but is an effort by
- the editors to offer a provisional definition of tracking.</p>
+ <p>Do Not Track is designed to provide users with a simple preference expression mechanism to allow or limit online tracking globally or selectively.</p>
+ <p>The specification applies to compliance with requests through user agents that (1) can access the general browsable Web; (2) have a user interface that satisfies the requirements in <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining">Determining User Preference</a> in the [[!TRACKING-DNT]] specification; (3) and can implement all of the [[!TRACKING-DNT]] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism.</p>
</section>
<section id="definitions">
<h2>Definitions</h2>
- <section id="def-user">
- <h3>User</h3>
- <p>
- A <dfn>user</dfn> is an individual human. When user-agent software accesses
- online resources, whether or not the user understands or has specific
- knowledge of a particular request, that request is made "by" the
- user.
+ <p id="def-user">
+ A <dfn>user</dfn> is an individual human. When user agent software
+ accesses online resources, whether or not the user understands or has
+ specific knowledge of a particular request, that request is "made by
+ the user."
</p>
- </section>
-
- <section id="def-user-agent">
- <h3>User Agent</h3>
- <p>
- This specification uses the term <dfn>user agent</dfn> to refer to any of the
+ <p id="def-user-agent">
+ The term <dfn>user agent</dfn> refers to any of the
various client programs capable of initiating HTTP requests,
including but not limited to browsers, spiders (web-based robots),
command-line tools, native applications, and mobile apps [[!HTTP11]].
</p>
- </section>
-
- <section id="def-party">
- <h3>Party</h3>
- <p>
- A <dfn>party</dfn> is any commercial, nonprofit, or governmental
- organization, a subsidiary or unit of such an organization, or
- a person. For unique corporate entities to qualify as a common
- party with respect to this document,those entities MUST be
- commonly owned and commonly controlled and MUST
- provide easy discoverability of affiliate organizations. An
- list of affiliates MUST be provided within one click from each
- page or the entity owner clearly identified within one click
- from each page.
- </p>
- </section>
-
- <section id="def-service-providers">
- <h4>Service Providers</h4>
- <p class="option">
- Outsourced <dfn>service providers</dfn> are considered to be the same party as their
- clients if the outsourced service providers only act as data processors on
- behalf of that party in relation to that party, silo the data so that it
- cannot be accessed by other parties, and have no control over the use or
- sharing of that data except as directed by that party.
- </p>
-
- <p class="option">
- Outsourced <dfn>service providers</dfn> are considered to be the same
- party as their clients if the service provider<br><br>
- 1. acts only as a data processor on behalf of the client;<br><br>
- 2. ensures that the data can only be accessed and used as directed by that client;<br><br>
- 3. has not independent right to use or share the data except as necessary to ensure the
- integrity, security, and correct operation of the service being provided; and<br><br>
- 4. has a contract in place that outlines and mandates these requirements.
- </p>
-
- <p class="issue" data-number="49" title="Third party as first party -- is a
- third party that collects data on behalf of a first party treated the
- same way as the first party"></p>
- </section>
-
- <section id="first-party">
- <h3>First Party</h3>
- <p>In a specific network interaction, a party with which the user intentionally
- interacts is a <dfn>first party</dfn>. In most cases on a traditional web
- browser, the first party will be the party that owns and operates the domain
- visible in the address bar. The party that owns and operates or has control
- over a branded/labelled embedded widget, search box, or similar service with
- which a user intentionally interacts is also considered a First Party. If a
- user merely mouses over, closes, or mutes such content, that is not sufficient
- interaction to render the party a first party.</p>
-
- <section id="multiple-first-parties">
- <h4>Multiple First Parties</h4>
-
- <p>In most network interactions, there will be only one first party with which
- the user intends to interact. However, in some cases, a network resource will
- be jointly operated by two or more parties, and a user would reasonably expect
- to communicate with all of them by accessing that resource. User understanding
- that multiple parties operate a particular resource could be accomplished
- through inclusion of multiple parties' brands in a domain name, or prominent branding
- on the resource indicating that multiple parties are responsible for content or
- functionality on the resource with which a user reasonably would expect to
- interact by accessing the resource. Simple branding of a party, without more,
- will not be sufficient to make that party a first party in any particular
- network interaction.</p>
- </section>
-
- <p class="issue" data-number="10" title="What is a first party?"></p>
- </section>
-
- <section id="third-party">
- <h3>Third Party</h3>
-
- <p>In a specific network interaction, any entity that is not the user,
- user agent, or a first party is considered a <dfn>third party</dfn>.</p></section>
-
- <section id="def-unlinkable">
- <h3>Deidentified Data</h3>
-
- <p class="option">Data is <dfn>deidentified</dfn> when a party:<br>
- (1) has taken measures to ensure with a reasonable level of
- justified confidence that
- the data cannot be used to infer information about,
- or otherwise be linked to, a particular consumer, computer,
- or other device;<br>
- (2) does not to try to reidentify the data; and<br>
- (3) contractually prohibits downstream recipients from trying to re-identify the data.
- </p>
-
- <p class="option">Data can be considered sufficiently <dfn>deidentified</dfn> to the extent
- that it has been deleted, modified, aggregated, anonymized or otherwise manipulated
- in order to achieve a reasonable level of justified confidence that the data cannot
- reasonably be used to infer information about, or otherwise be linked to, a
- particular user, user agent, or device.</p>
-
- <p class="note">The first option above is based on the definition of unlinkable data
- in the 2012 FTC privacy report; the second option was proposed by Daniel Kaufman.
- The group has a fundamental disagreement about whether internal access controls
- within an organization could be sufficient to de-identify data for the purposes of
- this standard.</p>
-
- <p class="issue" data-number="188" title="Definition of unlinkable data"></p>
- <p class="issue" data-number="191" title="Non-normative Discussion of De-Identification"></p>
- </section>
-
- <section id="def-network-transaction">
- <h3>Network Transaction</h3>
- <p>
- A <dfn>network interaction</dfn> is an HTTP request and response, or any other
- sequence of logically related network traffic.
- </p>
- </section>
-
- <section id="def-collection">
- <h3>Data collection, retention, use, and sharing</h3>
- <p class="issue" data-number="16" title="What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)"></p>
- <ol start="1">
- <li>A party <dfn>collects</dfn> data if it receives the data and either shares
- the data with other parties or stores the data for more than a
- transient period.</li>
-
- <li>A party <dfn>retains</dfn> data if data remains within a party's control
- beyond the scope of the current interaction.</li>
-
- <li>A party <dfn>uses</dfn> data if the party processes the data for any
- purpose other than storage or merely forwarding it to another
- party.</li>
-
- <li>A party <dfn>shares</dfn> data if the party provides a copy or access to the data
- to a third party.</li>
+ <p id="def-network-transaction">
+ A <dfn>network interaction</dfn> is the set of HTTP requests and
+ responses, or any other sequence of logically related network traffic
+ caused by a user visit to a single web page or similar single action.
+ Page re-loads, navigation, and refreshing of content cause a new
+ network interaction to commence.
+ </p>
+ <p id="def-party">
+ A <dfn>party</dfn> is any commercial, nonprofit, or governmental
+ organization, a subsidiary or unit of such an organization, or a
+ person. For unique corporate entities to qualify as a common party
+ with respect to this document, those entities MUST be commonly owned
+ and commonly controlled and MUST provide easy discoverability of
+ affiliate organizations. A list of affiliates MUST be available
+ through a single user interaction from each page, for example, by
+ following a single link, or through a single click.
+ </p>
+ <p id="def-service-providers">
+ An outsourced <dfn>service provider</dfn> is considered to be the
+ same party as its client if the service provider:
+ </p>
+ <ol>
+ <li>acts only as a data processor on behalf of the client;</li>
+ <li>ensures that the data can only be accessed and used as directed
+ by that client;</li>
+ <li>has no independent right to use or share the data except as
+ necessary to ensure the integrity, security, and correct operation
+ of the service being provided; and</li>
+ <li>has a contract in place that outlines and mandates these
+ requirements.</li>
</ol>
- <p>
- The definitions of collection, retention, use, and sharing are
- drafted expansively so as to comprehensively cover a party's
- user-information practices. These definitions do not require a
- party's intent; a party may inadvertently collect, retain, use, or
- share data. The definition of collection includes information that a
- party did not cause to be transmitted, such as protocol headers.
- </p>
-
- <p class="option">Alternative: A party "collects" data when it assembles
- data from or about one or more network interactions
- and retains or shares that data beyond the scope of responding
- to the current request or in a form that remains linkable to a
- specific user, user agent, or device.</p>
-
- <section id="unknowing-exception">
- <h4>Exception for unknowing collection, retention, and use</h4>
-
+ <p id="first-party">
+ In the context of a specific network interaction, the <dfn>first
+ party</dfn> is the party with which the user intentionally interacts.
+ In most cases on a traditional web browser, the first party will be
+ the party that owns and operates the domain visible in the address
+ bar.
+ </p>
+ <p>
+ The party that owns and operates or has control over a branded or
+ labeled embedded widget, search box, or similar service with which a
+ user intentionally interacts is also considered a first party. If a
+ user merely mouses over, closes, or mutes such content, that is not
+ sufficient interaction to render the party a first party.
+ </p>
+ <p id="multiple-first-parties">
+ In most network interactions, there will be only one first party with
+ which the user intends to interact. However, in some cases, a resource
+ on the Web will be jointly operated by two or more parties, and a user
+ would reasonably expect to communicate with all of them by accessing
+ that resource. User understanding that multiple parties operate a
+ particular resource can, for example, be accomplished through
+ inclusion of multiple parties' brands in a domain name, or prominent
+ branding on the resource indicating that multiple parties are
+ responsible for content or functionality on the resource with which a
+ user reasonably would expect to interact by accessing the resource.
+ Simple branding of a party, without more, will not be sufficient to
+ make that party a first party in any particular network interaction.
+ </p>
+ <p class="issue" data-number="10" title="What is a first party?"></p>
+ <p id="third-party">
+ A <dfn>third party</dfn> is any party other than a first party,
+ service provider, or the user.
+ </p>
+ <p>
+ Whether a party is a first or third party is determined within and
+ limited to a specific network interaction.
+ </p>
+ <p id="def-unlinkable">
+ Data is <dfn>deidentified</dfn> when a party:
+ </p>
+ <ol>
+ <li>
+ has achieved a reasonable level of justified confidence that the
+ data cannot be used to infer information about, or otherwise be
+ linked to, a particular consumer, computer, or other device;
+ </li>
+ <li>
+ commits to try not to reidentify the data; and
+ </li>
+ <li>
+ contractually prohibits downstream recipients from trying to
+ re-identify the data.
+ </li>
+ </ol>
+ <p class="issue" data-number="188" title="Definition of de-identified (or previously, unlinkable) data"></p>
+ <p id="def-tracking">
+ <dfn>Tracking</dfn> is the retention or use, after a network
+ interaction is complete, of data records that are, or can be,
+ associated with a specific user, user agent, or device.
+ </p>
+ <p class="issue" data-number="5" title="What is the definition of tracking?"></p>
+ <p id="def-collection">
+ A party <dfn>collects</dfn> data if it receives the data and shares
+ the data with other parties or stores the data for more than a
+ transient period.
+ </p>
<p>
- A party may receive, retain, and use data as otherwise prohibited
- by this standard, so long as it is unaware of such information
- practices and has made reasonable efforts to understand its
- information practices. If a party learns that it possesses
- information in violation of this standard, it must delete that
- information at the earliest practical opportunity.
- </p>
- </section>
- </section>
-
- <section id="def-tracking">
- <h3>Tracking</h3>
-
- <p class="note">
- The term "tracking" is not used in the normative text of this
- document. We may subsequently decide to define this term, or address
- the issue of what is "tracking" in the Introduction or Scope section.
- A definition proposed by the editors is available in the Scope section
- above.
- </p>
- <p class="issue" data-number="117" title="Terms: tracking v. cross-site tracking"></p>
- </section>
-
- <section id="def-consent">
- <h3>Explicit and Informed Consent</h3>
-
- <p class="note">
- The spec currently envisions that users should consent to both the
- setting of a DNT preference as well as any user-granted exceptions.
- We have not reached agreement on how precisely we need to define this
- term.
- </p>
-
- <div class="option" id="def-consent-prescribe">
+ A party <dfn>retains</dfn> data if data remains within a party's
+ control beyond the scope of the current network interaction.
+ </p>
<p>
- Explicit and informed choice must satisfy the following bright-line requirements:
- </p>
- <ol>
- <li>
[910 lines skipped]
Received on Friday, 21 June 2013 00:49:02 UTC