W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

RE: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

From: JC Cannon <jccannon@microsoft.com>
Date: Tue, 7 Feb 2012 18:51:27 +0000
To: Shane Wiley <wileys@yahoo-inc.com>, Nicholas Doty <npdoty@w3.org>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD76E4CA012@TK5EX14MBXC139.redmond.corp.microsoft.com>
It seems that we are still conflating collection with receipt of logs by a server and processing of those logs for placement in a profile or otherwise.

I believe we all agreed that web servers must be able to receive logs in order for the Internet to work as it does. I would like to propose that the mere receipt of logs by a web server should not be considered collection or be constrained by the rules of collection.

However, any processing of the logs should be considered collection and be governed by our DNT standard.

Inasmuch as the logs will include a DNT signal, any retention policy that comes out of our standard should apply to those logs.

JC

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Monday, February 06, 2012 7:33 AM
To: Nicholas Doty
Cc: Tracking Protection Working Group WG
Subject: RE: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

Nicholas,

There is the "general rule" and then there is the list of "operational exceptions".  I believe I've been responding to the "general rule" and am relying on the "operational exceptions" to allow for the use of cross-site data that's been collected for narrow purposes (such as security or general financial reporting, for example).

- Shane

From: Nicholas Doty [mailto:npdoty@w3.org]
Sent: Friday, February 03, 2012 4:28 PM
To: Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

Hi Shane,

Sorry for the confusion, but this gives me more questions, as I didn't realize the Service Provider concept was important for this proposal.

Do you mean "Service Provider" in the sense of the outsourcing exception currently defined in 3.6.1.2 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#TypesofTrackingOutsourcing? I thought the Cross-Site Track proposal allowed third parties to collect siloed data for their own purposes (targeting advertising, etc.) which would be contrary to the current text as I understand it.

If this proposal is compatible with the current outsourcing exemption, then that's great news and I think we're one step closer to consensus.

On Feb 3, 2012, at 12:22 PM, Shane Wiley wrote:
3rd parties MUST NOT collect data across multiple, non-affiliated or branded websites.
<Non-Normative> Data collected by a 3rd party MUST be segregated according to the 1st party from which it was collected.  A 3rd party MUST NOT aggregate, correlate or use together data that was collected on different 1st party sites.

Do these next three statements only apply to data collected across multiple sites? Or to any data that a third party collects about a user?  [Correct - only data collected across multiple sites - as profiling only for a single site falls under the 1st party definition (as a Service Provider with no independent rights to use this data elsewhere).]

3rd parties MUST NOT add collected data to a "profile" of a user.

3rd parties MUST NOT leverage previously collected data to profile a user or to alter a user's experience.

3rd parties MUST NOT attempt to personally identify a user.

If these only apply to data collected across multiple sites, I'm not sure the first at least is necessary. If I can't collect data about a user across sites, it would be impossible to use that not-collected data to add to a profile of them, right?

[Logically you could argue it that way but we added this statements to make the prohibition very clear and to lower the risk of logic entanglement arguments.]

I see now, thanks. I still find the language confusing per the below, but I'm all for making statements clear even if it requires some level of redundancy.

Also, if that assumption is right, then the language seems confusing to me; 3rd-parties would be allowed to add data to profiles, leverage previously collected data to alter a user's experience or identify a user, as long as they were doing so with data they hadn't combined across sites, right?

[Correct - as a Service Provider to a 1st party with no independent rights to use this data elsewhere.]

Thanks,
Nick
Received on Tuesday, 7 February 2012 19:16:43 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:44 UTC