Re: [ISSUE-5] What is the definition of tracking?

Roy,

Clarifying question. Does your proposal prohibit:

1) *collecting* information that *could be* used for correlation of browsing activity,
2) *collecting* information that *is* used for correlation of browsing activity, or
3) *using* information to correlate browsing activity?

My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.

Thanks,
Jonathan

On Mar 4, 2012, at 3:36 PM, Roy T. Fielding wrote:

> Color me frustrated.  The definition for tracking provided in the
> Compliance document is not distinguishable from any request to a
> third-party site while rendering a page, nor does it reflect what
> a common user's expectation would be for that term, nor does it
> reflect any of the regulatory descriptions of the term.
> 
> Here is the current definition:
> =========
>  3.7 Tracking
> 
>  Tracking is the collection or use of user data via either a
>  unique identifier or a correlated set of data points being
>  used to approximate a unique identifier, in a context other
>  than "first party" as defined in this document. This includes:  			
> 
>   • a party collecting data across multiple websites,
>     even if it is a first party in one or more (but not all)
>     of the multiple contexts
> 
>   • a third party collecting data on a given website
> 
>   • a first party sharing user data collected from a DNT-on
>     user with third parties "after the fact".
> 
>  Examples of tracking use cases include:
> 
>   • personalized advertising
>   • cross-site analytics or market research that has not been de-identified
>   • automatic preference sharing by social applications
> 
> =========
> 
> The WG needs a definition that only applies to the act of tracking,
> since otherwise the entire Web (every image, CDN, stylesheet, etc.)
> is a false positive.  The WG needs a definition that is specific and
> consistent with user expectations, since otherwise "allow tracking"
> fails as a mechanism for consent.
> 
> Here is my proposed replacement text:
> 
> =========
> 
> Tracking is defined as following or identifying a user, user agent,
> or device across multiple visits to a site (time) or across multiple
> sites (space).
> 
> Mechanisms for performing tracking include but are not limited to:
> • assigning a unique identifier to the user, user agent, or device
>  such that it will be conveyed back to the server on future visits;
> • personalizing references or referral information such that they will
>  convey the user, user agent, or device identity to other sites;
> • correlating data provided in the request with identifying data
>  collected from past requests or obtained from a third party; or,
> • combining data provided in the request with de-identified data
>  collected or obtained from past requests in order to re-identify
>  that data or otherwise associate it with the user, user agent,
>  or device.
> 
> A preference of "Do Not Track" means that the user does not want
> tracking to be engaged for this request, including any mechanism
> for performing tracking, any use of data retained from prior tracking,
> and any retention or sharing of data from this request for the purpose
> of future tracking, beyond what is necessary to enable:
> 1) the limited exemptions defined in section XX;
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user; and
> 3) other services for which the user has provided prior,
>    specific, and informed consent.
> 
> =========
> 
> I believe this new definition of tracking and the corresponding
> definition of "Do Not Track" will allow us to move beyond the
> arguments over broad exemptions and instead focus on transparency
> and individual control.  It allows the user to clearly state that
> they don't want tracking outside the first-party context and
> don't want any of the data retention/sharing effects of tracking.
> 
> The tracking status resource can convey exactly what tracking is
> performed by a site, if any, for a given resource and DNT value,
> including what limited exemptions are applicable.  Users (through
> user agent choice or configuration) can decide what services to use,
> or avoid, based on that transparency and not just a single on/off bit.
> 
> It separates the act of tracking from the mechanisms for doing
> tracking and the kinds of data retained from tracking.  The former
> is far easier to define in general, and the latter two will change
> over time as technologies change.
> 
> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested
> by the user, which may include personalization, analytics,
> or social networking as appropriate for that service, since
> otherwise a DNT enabled user would be constantly interrupted
> by consent dialogs just to do what they had already requested.
> A first-party might change their service upon receipt of DNT,
> such as by disabling social networking features, but that is
> presumed to be governed by the nature of the first-party
> service and the privacy options configured directly with
> that first-party.
> 
> It also recognizes that the user can provide prior consent
> for some services that will override the DNT signal, via
> mechanisms outside the scope of this standard, such as
> for paid audience survey tracking or content-by-subscription.
> Such an override, if active for the user, would be reflected
> in the tracking status response.
> 
> I would like to see this new text as at least an option in
> the upcoming compliance WD.  Also, IMO, the definitions of
> user, user agent, device, and tracking should be moved up to
> the start of the first section, or the detailed explanation
> of things like "first-party" moved into a later section, so
> that the details don't overwhelm the purpose of this document.
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>

Received on Wednesday, 7 March 2012 13:55:25 UTC