W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: definitions

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 22 Jun 2012 17:25:34 +0200
To: public-tracking@w3.org
Cc: "Roy T. Fielding" <fielding@gbiv.com>
Message-ID: <10080168.A1NgXIz5R1@hegel.sophia.w3.org>
Hi Roy, 

I have either marked my favorite or added one with (rw). To keep 
things manageable, I have removed all the definitions I did not 
like. 

On Friday 22 June 2012 01:24:14 Roy T. Fielding wrote:
> This is a collation of not-yet-consenus definitions used in the
> compliance document (c1) (c2), combo draft (cm), Shane et al's
> proposal (s), Jonathan et al's proposal (j), Roy's proposals (r),
> and various EC directives (eu).
> 
> 
data collection
>   (cm) A party collects data if the data comes within its control
> and the control of that data is not transient.

I like this definition, but I don't know if "transient" is strong 
enough to mean "storage". 
> 
>   (r1) "Data collection" (for the purpose of DNT) is the process
> of assembling data from or about one or more network interactions
> and retaining/sharing that data beyond the scope of responding to
> the current request or in a form that remains linkable to a
> specific user, user agent, or device.

I'm not against the reduced scope here, but that reduction should 
not be part of that definition. The reduction should be expressed as 
a rule in the compliance document. 
> 
>   (r2) [no definition, just like the regulators]

I can live with that
> 
> 
retention
 
>   (r) A party "retains" data if data remains within a party's
> control beyond the scope of the current interaction.

+1
> 
> 
use
>   (cm) A party uses data if the party processes the data for any
> purpose, including for storage.

I can live with the above, but prefer the EU definition that says: 
(eu) "use is the performance of operations over personal data"
> 
>   (r) A party uses data if the party processes the data for any
> purpose other than merely forwarding it to another party.

The (r)-definition creates a loophole for sharing in conjunction 
with the (r)-definition of sharing. Because forwarding to others is 
neither use nor sharing. "Allowing to receive" is not "fowarding". 

> 
> sharing
> 
>   (r) A party shares data if it allows any other party to receive
> or access that data.

(eu/rw) Sharing is the fact of disclosing personal data to a third 
party or to a data processor
(in this case we have to say that "sharing" with the processor is 
legitimate elsewhere. If we remove "or to a data processor", the 
latter is treated like data communication inside the first party)
> 
> 
> unlinkable
> 
>   (eu) to determine whether a person is identifiable, account
> should be taken of all the means likely reasonably to be used
> either by the controller or by any other person to identify the
> said person; whereas the principles of protection shall not apply
> to data rendered anonymous in such a way that the data subject is
> no longer identifiable

IMHO, the EU definition works best here, although adapt it a bit. 
"unlinkable" is just another name for non-personal data. You can 
only determine that by knowing what personal data means. But I favor 
rules how to handle IP addresses regardless of whether people 
believe they are linkable or unlinkable. This solves a major (known) 
hickup in the above definition. 
> 
> 
> tracking

>   (r1) Tracking is defined as following or identifying a user,
> user agent, or device across multiple visits to a site (time) or
> across multiple sites (space). Mechanisms for performing tracking
> include but are not limited to: • assigning a unique identifier
> to the user, user agent, or device such that it will be conveyed
> back to the server on future visits; • personalizing references
> or referral information such that they will convey the user, user
> agent, or device identity to other sites; • correlating data
> provided in the request with identifying data collected from past
> requests or obtained from a third party; or, • combining data
> provided in the request with de-identified data collected or
> obtained from past requests in order to re-identify that data or
> otherwise associate it with the user, user agent, or device.

I like this, but I think you "import" the definition of DNT:0 here. 
So if we take this definition, we do not have to define DNT:0 
anymore, but just say that DNT:0 allows "tracking". I still believe 
a separate definition of DNT:0 is easier and better understandable. 
> 
>   (r2) Tracking is the retaining or sharing of data about a user's
> Internet activity in a form that remains linkable to that user,
> user agent, or device across multiple Web properties that do not
> share a common first party (data controller).

You reduce too much by including "internet activity" as we also have 
talked about the combination of offline data with online data. If we 
take that limitation away, (r2) is my favorite.
> 
> 
> do not track

none made me happy. I try my own:

(rw) By sending the DNT:1 signal as defined by section 4 of the 
Tracking Preference Expression Specification, the user expresses a 
will that this request shall not be subject to tracking by third 
parties. Any third party should refrain from collection and use of 
personal data beyond actions necessary for the processing to convey 
the communication and/or beyond the uses expressly permitted by the 
Tracking Compliance and Scope Specification.

> 
> party
> 
>   (j) A functional entity is any commercial, nonprofit, or
> governmental organization, a subsidiary or unit of such an
> organization, or a person. Functional entities are affiliated
> when they are related by both common majority ownership and
> common control. A party is a set of functional entities that are
> affiliated.
> 
Jonathan wins. I think the aim of having the data processor being 
part of the first party should be fulfilled within the definition of 
the processor and not in the definition of party. 

> 
> first party

In general, I think that we mimic the "purpose limitation principle" 
by this distinction. Over time, people will realize that it jails 
more than it helps. I would rather go for a purpose limitation and 
disregard the distinction. But this is probably too late in the 
process. So I will probably have to live with it. In this spirit, 
the following remarks: 
> 
>   (r) If a resource is designed for direct interaction, is only
> used by the resource owner on its own sites for direct
> interaction, and is not documented by the resource owner for use
> as an embedded API for other sites, then the resource need only
> comply with first-party requirements.  Otherwise, the resource
> must comply with third-party requirements unless it can
> dynamically determine that it has been invoked in a first party
> context.

Roy wins as I believe that the very technical description oriented 
towards the goal to influence HTTP traffic is avoiding the general 
social question of what social relations between parties are 
acceptable in the context of DNT. 
> 
> 
outsourcing/service provider

I favor 
(eu)service provider shall mean a party which processes personal 
data on behalf of the first party;

We need the definition of consent

(rw) the user's consent to be tracked is expressed by sending the 
DNT:0 token as defined in section 4 of the Tracking Preference 
Expression Specification and as confirmed by the responding service. 
The DNT tokens express specific and informed indication of the 
users' wishes as defined by the Tracking Compliance and Scope 
Specification which they signify their agreement to personal data 
relating to him being processed for tracking as defined herein.

Rigo
Received on Friday, 22 June 2012 15:26:04 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:31 UTC