- From: Rigo Wenning <rigo@w3.org>
- Date: Tue, 17 Jan 2012 22:55:24 +0100
- To: Kevin Smith <kevsmith@adobe.com>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Kevin, On Tuesday 17 January 2012 09:02:16 Kevin Smith wrote: > I was not actually commenting on W3C procedure as much as I was mentioning > that it seems trivial and inefficient to argue over specific wording when > the underlying decisions have yet to be made, especially when making those > decisions will also resolve the argument as well, which I believe to be the > case here. First of all, I think the "cross-site" or 1st vs 3rd party were all very clever diversions to save the analytics business. In fact, as long as the web site owner collects data (and any kind of data and whatever data) this is just fine. <irony>Only those evil ad networks have brought us into trouble. They are evil third parties doing cross-site tracking and analysis</irony> But in the US context (that triggers all the debate about first/third cross- site/original) it doesn't matter at all, who collects the data as they can exchange it freely in the back end. There is no general privacy law, let alone one on data protection. And because data serves innovation, the US government is very reluctant to just mow data collection down. I am personally (and not as W3C) reluctant to make those distinctions. Because I think the Web and its direct connection between all actors will be much smarter than any kind of distinction we can come up with. But it would be on the other hand a bit derailing for the discussion, if I would now ask to focus on a risk analysis. What do we want to protect? Is it mere compliance to a feared regulator action while privacy is also a defense against the regulating government? If this risk analysis has a result that certain collection practices done by first parties within the same side are endangering democracy, we shouldn't glue to false principals and address that. If on the other hand, some third party collections are just Ok, I don't see why we should demonize that collection only because it is "cross-site" or "third party". And everybody waits that we deliver quickly. So can we really afford changing that discussion? Frankly, I don't know. On the other hand, remaining in the technology trenches doesn't buy us much either. Delaying doesn't further privacy protection on the web and increases the eagerness for harsh countermeasures of technologic and social nature by those waiting for us to deliver something. > > The question of our ultimate objective needs to be answered. I agree with you. But you have to start thinking about what you can give up. And clearly state what you can't give up and why. (without revealing business secrets.. ) What is the risk we try to tackle and what is the benefit we'll lose? > > One proposed objective is: > > **To provide a mechanism whereby a user can indicate preference to disallow > cross-site tracking** See and others say, DNT is to provide a mechanism to indicate a preference full stop. By introducing the "cross-site" you draw the discussion about the "ultimate objective" into the TPE Spec where it does NOT belong IMHO. Because the use of that tool will perhaps change by region and over time. > > I do not believe I am alone in thinking that we at one time had consensus > that this was our objective. However, I am no longer sure this is the > case. It sounds like some parties would prefer an objective closer to: > > Prevent cross-tracking + X I never had the impression of such a consensus. But coming back to process. It is on the chairs to state whether they see (and suggest a wording for) a consensus. > > However, I have not seen any clear proposals as to what X should be. See above. There were many concerns expressed, many times, in the Workshops predating the WG and in WG discussions. See my remarks above about a risk- based discussion.. > I have > seen a few suggestions focusing on different privacy related issues, but > nothing comprehensive nor anything that has gained any real traction within > the group as a whole. Which is fragmentation. And fragmentation is the opposite of consensus as far as I understand it. We should intelligently seek for common grounds between the parties instead of defending the trenches. > However, if the group decides to expand upon or > completely go away from the objective of preventing cross-site tracking, > then I am confident that the documents will be changed > accordingly. I think it will be impossible to only address the "cross-site" aspects of the massive profiling that is happening without risking to be accused to try to escape from the real issues. How do you prevent abuse of such profiles? What aspects of consumer protection are we willing to honor if a user indicates by setting DNT that he wants to be left alone for a moment. But how can we manage to make the "opt-back-in" really easy and a tool for businesses with good practices? So that they gain advantages in the market and acquire more users than the evil guys who just rip off every bit they can get? If convincing users to allow data collection is hard, DNT has missed an opportunity. > Likewise, if the objective is once again (or perhaps for the > first time) solidified as mentioned above, then most objections to the > current language will likely dissipate leaving only organizational > discussions remaining on this topic. I think the conflict around the terminology here is just a proxy war around certain collection practices. But I confess that we are doing our argumentation in public and it is probably necessary to have indirect argumentation. > > I therefore recommend again that this topic be tabled until at least the > above decision has been made. I agree it is not good for our discussion to make a show-down on "cross-site" vs not "cross-site". Because "cross-site" is as difficult a distinction as 1st vs 3rd party. Additionally, "cross-site", by logic, requires two parties. A first and a second/third party. Whether data is collected via 10 first parties using the same analytics provider or by 1 third party being embedded into 10 sites doesn't really matter. Does it? Can they afford to let some of the traffic drop out? How much can drop out until the analysis is not accurate enough anymore to make sense? Best, Rigo
Received on Tuesday, 17 January 2012 21:55:54 UTC