W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: [ISSUE-5] What is the definition of tracking?

From: Chris Pedigo <CPedigo@online-publishers.org>
Date: Mon, 5 Mar 2012 12:17:22 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <1E5510E9-2C34-49E5-8EA0-925D45FD3D7D@online-publishers.org>
Roy, I appreciate your effort to take a fresh look at this definition. On first glance, I have a couple of concerns:

1) Your definition of tracking includes "multiple visits to a site (time)."  This would cover first and third parties equally.  I think that's an overly broad definition of the kind of tracking we're trying to address in this WG and it unfairly presumes that first party tracking is bad or does not meet with user expectations.  I think you try to address it later but I object to the starting point.

2) Then later you propose that tracking would be allowed for "only first-party (and third-parties acting as the first-party) to provide the service intentionally requested by the user."

Limiting first parties to provide only "the service intentionally requested" would be problematic.  We would need to create a entire list of activities that would be permitted. On top of that, I imagine there are all kinds of first party uses for data that users expect but don't intentionally request (i.e. site optimization, fraud investigation). More importantly, this limitation of first parties wouldn't allow for first parties to use data to innovate or create new services for the user. 

I suppose we could create an expansive list of allowable first party activities, but I think you were trying to avoid that complexity.

Again, I do appreciate your taking a look at this definition. I think our definition should focus on data collected about a user across multiple sites. 


Chris Pedigo
Online Publishers Association
(202) 744-2967 



On Mar 4, 2012, at 6:37 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:

> Color me frustrated.  The definition for tracking provided in the
> Compliance document is not distinguishable from any request to a
> third-party site while rendering a page, nor does it reflect what
> a common user's expectation would be for that term, nor does it
> reflect any of the regulatory descriptions of the term.
> 
> Here is the current definition:
> =========
>  3.7 Tracking
> 
>  Tracking is the collection or use of user data via either a
>  unique identifier or a correlated set of data points being
>  used to approximate a unique identifier, in a context other
>  than "first party" as defined in this document. This includes:              
> 
>    a party collecting data across multiple websites,
>     even if it is a first party in one or more (but not all)
>     of the multiple contexts
> 
>    a third party collecting data on a given website
> 
>    a first party sharing user data collected from a DNT-on
>     user with third parties "after the fact".
> 
>  Examples of tracking use cases include:
> 
>    personalized advertising
>    cross-site analytics or market research that has not been de-identified
>    automatic preference sharing by social applications
> 
> =========
> 
> The WG needs a definition that only applies to the act of tracking,
> since otherwise the entire Web (every image, CDN, stylesheet, etc.)
> is a false positive.  The WG needs a definition that is specific and
> consistent with user expectations, since otherwise "allow tracking"
> fails as a mechanism for consent.
> 
> Here is my proposed replacement text:
> 
> =========
> 
> Tracking is defined as following or identifying a user, user agent,
> or device across multiple visits to a site (time) or across multiple
> sites (space).
> 
> Mechanisms for performing tracking include but are not limited to:
>  assigning a unique identifier to the user, user agent, or device
>  such that it will be conveyed back to the server on future visits;
>  personalizing references or referral information such that they will
>  convey the user, user agent, or device identity to other sites;
>  correlating data provided in the request with identifying data
>  collected from past requests or obtained from a third party; or,
>  combining data provided in the request with de-identified data
>  collected or obtained from past requests in order to re-identify
>  that data or otherwise associate it with the user, user agent,
>  or device.
> 
> A preference of "Do Not Track" means that the user does not want
> tracking to be engaged for this request, including any mechanism
> for performing tracking, any use of data retained from prior tracking,
> and any retention or sharing of data from this request for the purpose
> of future tracking, beyond what is necessary to enable:
> 1) the limited exemptions defined in section XX;
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user; and
> 3) other services for which the user has provided prior,
>    specific, and informed consent.
> 
> =========
> 
> I believe this new definition of tracking and the corresponding
> definition of "Do Not Track" will allow us to move beyond the
> arguments over broad exemptions and instead focus on transparency
> and individual control.  It allows the user to clearly state that
> they don't want tracking outside the first-party context and
> don't want any of the data retention/sharing effects of tracking.
> 
> The tracking status resource can convey exactly what tracking is
> performed by a site, if any, for a given resource and DNT value,
> including what limited exemptions are applicable.  Users (through
> user agent choice or configuration) can decide what services to use,
> or avoid, based on that transparency and not just a single on/off bit.
> 
> It separates the act of tracking from the mechanisms for doing
> tracking and the kinds of data retained from tracking.  The former
> is far easier to define in general, and the latter two will change
> over time as technologies change.
> 
> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested
> by the user, which may include personalization, analytics,
> or social networking as appropriate for that service, since
> otherwise a DNT enabled user would be constantly interrupted
> by consent dialogs just to do what they had already requested.
> A first-party might change their service upon receipt of DNT,
> such as by disabling social networking features, but that is
> presumed to be governed by the nature of the first-party
> service and the privacy options configured directly with
> that first-party.
> 
> It also recognizes that the user can provide prior consent
> for some services that will override the DNT signal, via
> mechanisms outside the scope of this standard, such as
> for paid audience survey tracking or content-by-subscription.
> Such an override, if active for the user, would be reflected
> in the tracking status response.
> 
> I would like to see this new text as at least an option in
> the upcoming compliance WD.  Also, IMO, the definitions of
> user, user agent, device, and tracking should be moved up to
> the start of the first section, or the detailed explanation
> of things like "first-party" moved into a later section, so
> that the details don't overwhelm the purpose of this document.
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>
> 
Received on Monday, 5 March 2012 12:17:51 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC