- From: David Singer <singer@apple.com>
- Date: Thu, 12 Jan 2012 10:26:35 -0800
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: Ed Felten <ed@felten.com>, "public-tracking@w3.org" <public-tracking@w3.org>
My problems with the term 'cross-site' are two-fold:
a) I think users are asking "don't track me" and they will see "don't cross-site track me" as restricting some, but not nearly all, of what they worry about.
b) I think some sites will break the formal rules but claim that what they are doing is not "cross-site" and so is allowed.
We could argue in both cases that they should read the document and the definitions and rules, but in both cases I fear the damage is done before that. This is behind some of the (slightly emotional) resistance to what could be, after all, merely a terminology question.
This is assuming we agree on a definition, of course, of what we're restricting…maybe then we'll be able to decide what label to give it.
There seems to be some 'emotional' resistance the other way; can anyone explain it?
On Jan 12, 2012, at 9:23 , Shane Wiley wrote:
> Ed,
>
> As you've pointed out (and I similarly called out later in the chain) there will be a need to define terms and exceptions in either direction. That said, there are optic, related assumptions, and a starting point for understanding to consider - and with those in mind, "cross-site tracking" appears to be the better place to begin the conversation from (and was the genesis of the DNT debate/discussion and this working group).
>
> - Shane
>
> -----Original Message-----
> From: Ed Felten [mailto:ed@felten.com]
> Sent: Thursday, January 12, 2012 7:49 AM
> To: public-tracking@w3.org
> Subject: Re: diff of TPE editing since the FPWD
>
> Is this "cross-site" discussion a debate about substance, or only
> about terminology?
>
> We're looking at two approaches. In one approach we essentially say
> "no third-party tracking," and then we very carefully define what
> "third-party" means. In the other approach we say "no cross-site
> tracking," and then we very carefully define what "cross-site" means.
> In both cases we have to specify what constitutes the same
> party/site. In both cases we will presumably create the obvious set
> of exceptions.
>
> It could be--and please help me understand whether this is true--that
> we will end up writing a standard that allows and disallows the same
> things, regardless of which approach we take. Or is there a
> substantive disagreement lurking beneath the terminology?
>
> To be clear, I don't mean to suggest that terminology doesn't matter,
> nor that we shouldn't discuss terminology. I'm just saying that it's
> good to be clear about what is and isn't at stake in this part of the
> discussion.
>
> On Thu, Jan 12, 2012 at 1:07 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
>> I believe cross-site tracking more accurately describes the intended goal of
>> the working group so would suggest this remain in the document "as is". In
>> either direction we'll still need to elaborate as to what is and is not
>> cross-site tracking and this can be done with party position definitions and
>> business rules. As MOST of the use cases imagined are cross-site centric,
>> this is the logical place to start from and articulate exceptions from this
>> pivot point.
>>
>>
>>
>> - Shane
>>
>>
>>
>> From: Kevin Smith [mailto:kevsmith@adobe.com]
>> Sent: Thursday, January 12, 2012 12:38 AM
>> To: Jonathan Mayer; Sean Harvey
>> Cc: Rigo Wenning; Jeffrey Chester; public-tracking@w3.org; Roy T. Fielding
>> Subject: RE: diff of TPE editing since the FPWD
>>
>>
>>
>> I agree with Sean that cross-site tracking carries far less ambiguity than
>> 1st vs 3rd parties and is probably a simpler approach to solving the same
>> problem of preventing cross-site tracking.
>>
>>
>>
>> Jonathan wrote:
>>
>>> I view it as a *positive* sign that our current approach has surfaced
>>> issues of outsourcing and backend sharing - that means we're moving past
>>> linguistic hijinks and debating actual substance.
>>
>>
>>
>> From a cross-tracking based conversation, outsourcing is far less relevant,
>> and back-end sharing is a more obvious concern, being one of the primary
>> methods of cross-site data sharing. So I actually think this is an example
>> of how the conversations become easier and more straightforward when
>> focusing on cross-tracking.
>>
>>
>>
>> Jonathan Said:
>>
>>> Kevin proposed a definition of "Do Not Cross Track" within the ambit of
>>> ISSUE-5 ("What is the definition of tracking?"). The discussion that
>>> followed was vague, confused, and unhelpful.
>>
>>
>>
>> I actually got a very positive response and strong agreement from several
>> group members, but very little traction or discussion from the group as a
>> whole. I look forward to raising the question in Belgium where hopefully
>> the face to face interaction can help me understand objections or answer
>> concerns more easily.
>>
>>
>>
>> Rigo said:
>>
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>>
>>
>>
>> A 1st party would participate in cross-site tracking by using data collected
>> on its site/properties on an unrelated site (without getting into the
>> domain/affiliate discussion here), or by giving the data to someone else to
>> use on an unrelated site such as selling it to a dsp. A 1st party may also
>> be in violation by acquiring data from a 3rd party (such as a Blue Kai) for
>> use on its site (such as product targeting or personalization).
>>
>>
>>
>> You are right though in that it does not make sense to define DNT both in
>> terms of parties and cross-site tracking. At our first f2f, it seemed to me
>> that we largely agreed that providing a mechanism to prevent cross-site
>> tracking and targeting was our primary objective. The first suggested
>> approach to defining this was to exempt 1st parties (for the most part),
>> prohibit 3rd parties (for the most part), and then work on defining the gray
>> areas. Or in other words, define cross-site tracking in terms of what 3rd
>> parties do with our data. This idea caught on so quickly that we never
>> really examined other approaches, and to be honest, it made a lot of sense
>> to me at the time as well. The unfortunate result however, was that parties
>> became more and more difficult to enumerate, define and separate. Before
>> long, the party question had hijacked nearly all conversations and we were
>> no longer focusing on DNT but rather on party definition.
>>
>>
>>
>> So I think its time to revisit the original problem of preventing cross site
>> tracking, but try using a contextual definition rather than a party based
>> definition. Much of our work will translate over perfectly, so I do not
>> think we will lose much time. In fact, I think we will actually shorten the
>> remaining effort substantially by removing the party complexities and
>> ambiguities.
>>
>>
>>
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, January 11, 2012 4:16 PM
>> To: Sean Harvey
>> Cc: Rigo Wenning; Kevin Smith; Jeffrey Chester; public-tracking@w3.org; Roy
>> T. Fielding
>> Subject: Re: diff of TPE editing since the FPWD
>>
>>
>>
>>
>>
>> On Jan 11, 2012, at 2:41 PM, Sean Harvey wrote:
>>
>>
>>
>> As I step back and think about it for a moment I feel that the potential
>> ambiguities around the definition of "cross site tracking" might be less
>> intractable than those around "first and third party" which is where we've
>> gotten into a tangle over the past weeks.
>>
>>
>>
>> Among the many complexities that we've encountered in this respect are that
>> third party domains are often merely software tool used by first parties,
>> and that first parties have to be restricted from sharing their data with
>> third parties. All of this is addressed & defined more cleanly in a "cross
>> site tracking" paradigm. A good "cross site" definition could simplify
>> things greatly, close potential loopholes for first parties and build
>> greater consensus.
>>
>>
>>
>> I don't believe a renewed focus on "cross-site tracking" would be
>> productive. The phrase introduces the ambiguities I noted below and
>> unnecessarily conflates the independent questions of which roles are covered
>> (currently framed as first party vs. third party) and what actors in those
>> roles may or may not do (currently framed as, for third parties, a blanket
>> bar + exceptions). I view it as a *positive* sign that our current approach
>> has surfaced issues of outsourcing and backend sharing - that means we're
>> moving past linguistic hijinks and debating actual substance.
>>
>>
>>
>> Setting aside those objections, this approach has been tried without
>> success. Kevin proposed a definition of "Do Not Cross Track" within the
>> ambit of ISSUE-5 ("What is the definition of tracking?"). The discussion
>> that followed was vague, confused, and unhelpful.
>>
>>
>>
>> Correct me if i'm wrong, but I believe the consensus of the group early on
>> was to focus on cross-site tracking; part of the problem in definitions
>> seems to be that we aren't being clear about that.
>>
>>
>>
>> Much of this standardization process has involved stakeholders developing a
>> more precise understanding of the issues in play. (Look no further than the
>> issue tracker, which is a virtual graveyard of old generalities replaced by
>> newer specifics.) There was certainly consensus fairly early that the
>> standard would include some distinction like "first party vs. third party"
>> or "cross-site" - but I don't believe the group was sophisticated enough at
>> that point to agree on details. In fact, we're just now working out the
>> specifics.
>>
>>
>>
>> On Wed, Jan 11, 2012 at 4:37 PM, Jonathan Mayer <jmayer@stanford.edu> wrote:
>>
>> I think there's a language ambiguity here. Some consider "cross-site
>> tracking" to be about correlating user actions on unrelated websites.
>> Others consider "cross-site tracking" to be about information practices by
>> third-party websites. In light of the ambiguity, I'd support dropping the
>> term from the Preference Expression document and replacing it with something
>> more neutral.
>>
>> Moreover, at a higher level, I don't think compliance policy questions
>> belong in that document. Preference Expression should be a technical
>> vehicle for whatever Compliance and Scope specifies - no more and no less.
>> I would support clarifying that principle in the documents and trimming the
>> lengthy policy-based introduction from the Preference Expression document.
>>
>> I am very sensitive to Roy's and Kevin's concern that the group not move
>> away from its consensus that this standard will impose (almost) no limits on
>> first-party conduct. I believe the current proposals for Compliance and
>> Scope accurately reflect that consensus. To the extent they don't, debate
>> should be held in the context of that document, not surrounding an ambiguous
>> turn of phrase elsewhere.
>>
>> Jonathan
>>
>>
>> On Jan 11, 2012, at 11:46 AM, Rigo Wenning wrote:
>>
>>> Kevin,
>>>
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>>>
>>> Rigo
>>>
>>> On Wednesday 11 January 2012 11:13:08 Kevin Smith wrote:
>>>> Actually, at least in the early meetings, I believe we had near consensus
>>>> that the objective of this working group would be focused around
>>>> cross-site
>>>> tracking (despite a somewhat confusing name of DNT). Most of the current
>>>> issues and discussions are reflective of this direction - such as
>>>> defining
>>>> affiliates, 1st vs 3rd parties, and exceptions to when cross-site
>>>> tracking
>>>> are permissible such as rate frequency capping.
>>>>
>>>> If that is still true, I think it's imperative to have it spelled out as
>>>> Roy
>>>> has done in the doc to avoid as much confusion as possible.
>>>
>>
>>
>>
>>
>>
>> --
>> Sean Harvey
>> Business Product Manager
>> Google, Inc.
>> 212-381-5330
>> sharvey@google.com
>>
>>
>
>
David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 13 January 2012 03:41:58 UTC