W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: definition of (cross-site) tracking

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 13 Jan 2012 01:22:35 -0800
Cc: Tracking Protection WG <public-tracking@w3.org>
Message-Id: <91505E0F-F4BF-4658-BBD4-DA786D4F298F@gbiv.com>
To: David Singer <singer@apple.com>
On Jan 12, 2012, at 10:26 AM, David Singer wrote:

> My problems with the term 'cross-site' are two-fold:
> a) I think users are asking "don't track me" and they will see "don't cross-site track me" as restricting some, but not nearly all, of what they worry about.
> b) I think some sites will break the formal rules but claim that what they are doing is not "cross-site" and so is allowed.
> We could argue in both cases that they should read the document and the definitions and rules, but in both cases I fear the damage is done before that. This is behind some of the (slightly emotional) resistance to what could be, after all, merely a terminology question.
> This is assuming we agree on a definition, of course, of what we're restricting…maybe then we'll be able to decide what label to give it.
> There seems to be some 'emotional' resistance the other way; can anyone explain it?

I have no reason to honor Do Not Track if it isn't clearly restricted to
actual privacy concerns, such as unexpected or undesired data sharing between
sites and perhaps the one Björn raised about resurrecting cleared data.
And by clearly restricted, I mean communicated to the user so that they
do not get confused by propaganda terms like "Do Not Track", but rather are
informed of exactly what the preference will mean to sites that receive it.

"Do Not Track" without restrictions does not address a privacy concern.
Instead, it is an expressed desire to be a free-rider on the Web of content
that is, for the most part, paid for by advertising or marketing revenue
made possible by tracking in one form or another.  If a person decides to
use a site and sends a request to that site, then that site has the right
to collect and retain data about that request and its demand on their
services.  The user does not have a right to anonymity.  The user does
not have a right to free services.  I have no reason to expect that any
more than I would expect Apple to provide an 80% discount on iTunes to
anyone with DNT: 1 set.

Am I going to get all emotional about that? Yes. These are my customers
we are talking about, who are being asked to lose revenue or destroy
the usability of their site just because an ill-defined checkbox has
been selected in a browser config.

All of the input documents I read, and the discussion at the F2F in
Cambridge, were advocating the exclusion of non-shared first-party
(including outsourced) data collection and personalization from being
effected whatsoever by the presence of DNT.  The reason for that is simple:
We don't want all of the content providers to require an opt-back-in.
We want users who are concerned about the privacy issue to be
able to turn on DNT and not be blocked by the same user experience
one gets when turning off cookies.  We want users who are surfing with
DNT on to have the same personalized customer experience as other
users aside from forbidding the use of data obtained from other sites.
That's the spec that I agreed to edit.

If we can't have a restricted definition for DNT, then I'd rather not
have DNT at all.  I'd rather not waste all those bytes on the wire for
a user preference that will just be ignored or denied.  I'd rather have
the regulators address the privacy issues by setting and enforcing
restrictions on what can and cannot be shared between sites without
prior consent, and then let each site determine how to obtain consent
if they really need data from other sites.

Quite frankly, I am tired of repeating this over and over.  Everyone
has an opinion.  We aren't all going to be satisfied by every aspect
of how the protocol works.  What we should have decided, first, is
what we are intending to accomplish via the protocol, and then write
that down in a form that everyone agrees to or leaves.  In that respect,
I agree with David's second-to-last paragraph above.  If we can't
agree on what we are trying to constrain, then the definitions for
what we express are never going to obtain consensus.

Received on Friday, 13 January 2012 09:28:26 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:23 UTC