W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

definition of (cross-site) tracking

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 12 Jan 2012 14:50:02 -0800
Cc: public-tracking@w3.org
Message-Id: <A17B97CD-F1D4-4B1B-A861-6676D2C85DBE@gbiv.com>
To: Tom Lowenthal <tom@mozilla.com>
On Jan 12, 2012, at 12:29 PM, Tom Lowenthal wrote:

>> Please feel free to raise this as an issue -- I have no intention of changing
>> that without consensus since I won't be participating in this WG if it is
>> changed.  It was, after all, the basis of all input documents and regulatory
>> concerns, where tracking was defined as cross-site tracking.
> 
> Roy, I think you may be mis-remembering the input documents and
> regulatory concerns. I encourage you to review the position papers from
> the opening workshop if you need to refresh your memory. Feel free to
> grep for the phrase "cross-site" or "across sites".

As I said, and we have discussed before, the reason for that is simply because
the input documents redefined or limited the scope of the single word "tracking"
to mean tracking from same-branded set of sites to some other-branded set of
sites (i.e., cross-site tracking).  The reason for that is because content
providers will not implement DNT (or at least will require opt-back-in before
site usage) if the scope of DNT includes first-party data collection for the
sake of web analytics or personalized customer experience.  Non-shared
tracking data and non-shared data collection is so central to how commercial
websites operate that they simply won't turn it off.  That is why attempts
to limit or marginalize Cookies failed in 1995-98.

We are here to solve a very real privacy problem in the form of cross-site
data sharing tied to a particular user when such sharing is undesired by
the user.  That privacy problem is distinct from tracking in general.
We can solve that problem by focusing on the actions that need to be limited.
I think David Wainberg summed that up best.

We cannot solve that problem by defining the protocol such that content
providers are required to mandate opt-back-in mechanisms in order to preserve
minimal site operation.  All we do then is piss off the ordinary user and
prevent anyone from using DNT for its intended purpose.  We would be wasting
all of our time and bandwidth.

When I put the question to the WG, the consensus was very clear that the user
would have expectations about what "tracking" meant that are far broader than
how those input documents defined it and how we agreed to define this protocol.
Therefore, I added a qualifier to clarify what DNT expresses so that it is
consistent with both user expectations and the meaning we are assigning DNT
in this protocol.

The reason I insist on doing so is because content providers will be sued/regulated
on the basis of the user's expectation's on what is expressed, not a fine-print
list of exceptions in a compliance document that none of us expect the users
to read.  On aspects regarding editorial choice (and this is certainly one
of them), the specification will use wording that reflects how the protocol
is defined by the WG.

If you see errors in the wording that makes it differ from the protocol,
then by all means suggest improvements that will make it closer to the protocol.
If you want to change the protocol, then get the WG to agree to that first.
I am not going to put my name on a spec that lies about what it defines.

Arguments that "cross-site tracking" is somehow more ambiguous than "tracking"
are simply absurd.  We can make the former a defined term in the compliance
document, or I can define it in the TPE spec, if folks think it would help
to define it formally.  The only reason I did not do that already is because
the scope assigned to compliance includes definitions.

....Roy
Received on Thursday, 12 January 2012 22:52:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:23 UTC