CVS WWW/2011/tracking-protection/drafts from CVS User dsinger2 on 2013-11-07 (public-tracking-commit@w3.org from November 2013)

From: CVS User dsinger2 <cvsmail@w3.org>
Date: Thu, 07 Nov 2013 03:31:35 +0000
To: public-tracking-commit@w3.org
Message-Id: <E1VeGJj-0001l5-N0@gil.w3.org>
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv6753

Modified Files:
	tracking-compliance.html 
Log Message:
Resolution of Issue-24 integrated.  Added note suggesting deletion of 
definition of graduated response.



--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html	2013/10/02 23:45:05	1.106
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html	2013/11/07 03:31:35	1.107
@@ -226,6 +226,12 @@
 				<p>
 					A <dfn>graduated response</dfn> a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or transaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to transactions from that specific range of IP addresses as opposed to increased logging for all users in general.
 				</p>
+				<p class="note">
+  				  Only used in security, below, and may overlap with the explanation
+  				   there.  Delete the definition and let it be defined the only place 
+  				   it's used?
+  				</p>
+
 			</section>
 	</section> <!-- end definitions -->
 	<section id="user-agent-compliance">
@@ -444,19 +450,25 @@
 			
 			<section id="security">
 			<h4>Security</h4>
-			<p>
-				To the extent proportionate and reasonably necessary for <dfn>detecting security risks and
-				fraudulent or malicious activity</dfn>, parties MAY collect, retain, and use data regardless
-				of a DNT signal. This includes data reasonably necessary for enabling authentication/verification,
-				detecting hostile and invalid transactions and attacks, providing fraud prevention, and maintaining
-				system integrity. In the context of this specific permitted use, this data MAY be used to
-				alter the user's experience in order to reasonably keep a service secure or prevent fraud.
-			</p>
-			<p class="issue" data-number="24" title="Possible exemption for fraud detection and defense"></p>
-  			<section id="security-graduated" class="informative">
-  				<h4>Graduated Responses for Security</h4>
-  				When feasible, a <a>graduated response</a> to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of user agent string and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.
-  			</section>
+			<p>Regardless of the tracking preference expressed, data MAY be collected,
+			 retained, and used to the extent reasonably necessary to detect security
+			 incidents, protect the service against malicious, deceptive, fraudulent,
+			 or illegal activity, and prosecute those responsible for such activity,
+			 provided that such data is not used for operational behavior 
+			 (profiling or personalization) beyond what is reasonably necessary 
+			 to protect the service or institute a <a>graduated response</a>.</p>
+
+			<p>When feasible, a <a>graduated response</a> to a detected security incident  
+			 is preferred over widespread data collection. An example would be recording 
+			 all use from a given IP address range, regardless of DNT signal, if the 
+			 party believes it is seeing a coordinated attack on its service (such as 
+			 click fraud) from that IP address range. Similarly, if an attack shared 
+			 some other identifiable fingerprint, such as a combination of User Agent 
+			 and other protocol information, the party could retain logs on all 
+			 transactions matching that fingerprint until it can be determined that 
+			 they are not associated with such an attack or such retention is no 
+			 longer necessary to support prosecution.</p>
+
 			</section>
 			
 			<section id="debugging">
Received on Thursday, 7 November 2013 03:31:36 UTC