W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

RE: "cross-site"

From: Jules Polonetsky <julespol@futureofprivacy.org>
Date: Wed, 16 Nov 2011 22:55:29 -0500
To: "'John Simpson'" <john@consumerwatchdog.org>
Cc: "'Nicholas Doty'" <npdoty@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'Mark Nottingham'" <mnot@mnot.net>, "'Karl Dubost'" <karld@opera.com>, <public-tracking@w3.org>
Message-ID: <002701cca4dc$bfb28590$3f1790b0$@futureofprivacy.org>
You mean "must" NOT share data with others, correct? Agree...although
perhaps dealt with via definition of a first party as someone who does not
passively share data with third parties.

-----Original Message-----
From: John Simpson [mailto:john@consumerwatchdog.org] 
Sent: Wednesday, November 16, 2011 10:46 PM
To: Jules Polonetsky
Cc: Nicholas Doty; Roy T. Fielding; Mark Nottingham; Karl Dubost;
<public-tracking@w3.org>
Subject: Re: "cross-site"

I think there are some "must" requirements on first party sites.
specifically they must share data with others ...

----------------
John M. Simpson
Consumer Advocate
Consumer Watchdog
Tel: 310-392-7041
 

On Nov 16, 2011, at 7:24 PM, "Jules Polonetsky"
<julespol@futureofprivacy.org> wrote:

> I thought there was consensus that requirements on first parties were
"may"
> and third parties were "must" or "shall".
> 
> -----Original Message-----
> From: Nicholas Doty [mailto:npdoty@w3.org]
> Sent: Wednesday, November 16, 2011 10:20 PM
> To: Roy T. Fielding
> Cc: John Simpson; Mark Nottingham; Karl Dubost; public-tracking@w3.org 
> WG
> (public-tracking@w3.org)
> Subject: Re: "cross-site"
> 
> On Nov 16, 2011, at 12:43 AM, Roy T. Fielding wrote:
> 
>> On Nov 15, 2011, at 2:59 PM, John Simpson wrote:
>> 
>>> Perhaps I am missing something, but I don't understand why we need 
>>> the
> reference to "cross-site" nor to "across sites."  As a user I want to 
> send a clear and unambiguous signal that I do not wish to be tracked.  
> I may be persuaded that first party sites and third party sites have 
> different obligations when my message is received, but I definitely 
> want both first and third party sites to get my message. Thus, I 
> believe the specification should simply read:
>>> 
>>> "This specification defines the technical mechanisms for expressing 
>>> a
> tracking preference via the DNT request header field in HTTP."
>> 
>> No, we've already had this conversation.
>> 
>> We chose to make exceptions for analytics and first-party-exclusive
> tracking from the preference expression because they are not a privacy 
> concern, they do match user expectations, and are necessary for DNT 
> adoption.
> 
> As John points out, while we do seem to agree that first and third 
> parties may have different requirements, I'm not aware of a consensus 
> decision that first parties are entirely excepted from the standards. 
> In fact, the compliance document currently contains a "First Party 
> Compliance" section,
> ISSUE-17 remains open and first parties could provide meaningful 
> responses with the proposed response header.
> 
> I also don't remember us choosing to grant an exception for analytics, 
> besides highlighting that for later discussion. ISSUEs 23 and 24 
> haven't been opened yet, though the work on 73 suggests a direction 
> for one type of analytics.
> 
>> The combination of those two choices requires that we place an 
>> adjective
> before tracking in order to properly define the meaning of the header
field.
> "cross-site" is good enough for me.  We can replace it if somebody 
> comes up with a better shorthand term.
> 
> I'd be happy with John's suggested text, or with whatever language we 
> land on in the compliance document (there are open issues there about 
> "behavioral" as a potential modifier for this purpose).
> 
> -Nick
Received on Thursday, 17 November 2011 03:56:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC