W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: [ISSUE-5] What is the definition of tracking?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 7 Mar 2012 12:16:50 -0800
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <BEAFA9AF-E676-4F86-B222-68C0A5C6C424@gbiv.com>
To: Jonathan Mayer <jmayer@stanford.edu>
On Mar 7, 2012, at 7:04 AM, Jonathan Mayer wrote:

> Substantively, then, I think we're *very* close.
> 
> I (and, as I understand it, quite a few others in the group) favor a blanket third-party collection/retention/use limitation, with an exception for information that could not be used to correlate browsing activity and an exception for protocol information.  (There are, of course, some fine details we might not agree on.  For example: What does a server have to do if the client sends an old ID cookie?  A "hi, here's my SSN" cookie?  What does a server have to do over time with protocol information?)

Please understand that those aren't exceptions.  They are contradictions.
We cannot protect against fraud and simultaneously blanket-prohibit
collection.  We can prohibit use for tracking and retention beyond what
is necessary for the fraud/legal/security exemptions.

> That said, as others have expressed, I'd prefer to avoid the quagmire of defining the word "tracking."  The topic has repeatedly proven a waste of the group's time.  I see no need for us to reach consensus on magic words; we need consensus on substance. 

Given that the protocol is "Do Not Track", this issue has more
substance then the entire rest of the compliance document.

> One last point.  I thoroughly disagree with what you said here:
> 
>> One thing I am quite certain of is that the WG does not have even
>> the remotest sense of what "we're trying to address", and that goes
>> for both industry and advocates.  It is remarkable just how far both
>> sides have been unwilling to address it with actual text, even on
>> their own websites.
> 
> Many stakeholders know exactly what they want Do Not Track to do.  I (and others), in fact, have advocated the substance of what you propose for over a year.  Example: http://tools.ietf.org/html/draft-mayer-do-not-track-00#section-9.2

You are neither "we" nor the "WG", so it doesn't apply to you,
nor to "many stakeholders" in isolation, but rather on what we have
agreed to as a group.

The comment I made at the IETF meeting in Prague is that your draft's
definition of tracking is unusable because every server on the planet
does collection, retention, and use of data related to the request
and response.  Furthermore, scoping tracking that wide does not even
remotely correspond to the English meaning of that term.

The goal of my definition is to find a middle ground between folks
who think they can deny data collection (even though the server must
receive the request in order to process it and *will* retain that
information to combat fraud and security attacks) and those who
think the discussion must be limited to cross-site tracking by
third-parties who do not silo by first-party, while at the same time
providing a solution that will address the consent issue that has
been demanded by regulators for all parties (not just third parties).

What you should be asking is whether the definition is sufficient
to address the privacy and consent issues that have been raised and
discovered by your research, not whether it matches your current or
past suggested solutions regarding data collection.

....Roy
Received on Wednesday, 7 March 2012 20:17:23 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC