W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: Allowed uses of protocol data in first N weeks (ACTION-190)

From: イアンフェッティ <ifette@google.com>
Date: Wed, 9 May 2012 16:47:10 -0700
Message-ID: <CAF4kx8d7sHvNwP0O0rcrm3ObUiV32n=EN99HS_5EXV+ixj=cyg@mail.gmail.com>
To: John Simpson <john@consumerwatchdog.org>
Cc: "TOUBIANA, VINCENT (VINCENT)" <Vincent.Toubiana@alcatel-lucent.com>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Yes

On Wed, May 9, 2012 at 4:25 PM, John Simpson <john@consumerwatchdog.org>wrote:

> Ian,
>
> This morning's call left me confused.  Does the text proposed by
> Action-190 apply to both 1st and 3rd parties?
>
> Thank you,
> John
>
>
> On May 9, 2012, at 3:57 PM, Ian Fette (イアンフェッティ) wrote:
>
> On Wed, May 9, 2012 at 3:53 PM, TOUBIANA, VINCENT (VINCENT) <
> Vincent.Toubiana@alcatel-lucent.com> wrote:
>
>> I believe I should elaborate why I think the current text is too vague.
>> I'm mostly concerned by the following sentence:
>>
>> "Similarly, a data collector MUST NOT use the data to build any profile,
>> or associate the data to any profile, of a user used for purposes other
>> than would be allowed outside of the the six week period."
>>
>> Why not simply say "Similarly, a data collector MUST NOT use the data for
>> purposes other than those allowed outside of the the six week period." ?
>> It seems to me that the examples provided in the rest of the text (see
>> bellow) as well as those mentioned during the phone conference today are
>> actually covered by the permitted uses.
>>
>>
> Playing devil's advocate -- If you say that, then what is the difference
> between before and after the six week period? I'm not sure what then this
> exception buys you. I'm not trying to create a back door for some set of
> nefarious uses, but I'm trying to say instead "Look, if you're not doing
> anything strange then this should make it trivial for you to comply with
> this spec if you only retain logs data for six weeks." That covers a lot of
> people and a lot of legitimate, common, non-scary uses. If you're keeping
> data for a longer period of time, then there's some burden placed on you as
> a result.
>
>
>> "As examples, a data collector MAY use the raw data within a six week
>> period to debug their system, a data collector MAY use the raw data within
>> the six
>> week period to build a profile of a user fraudulently or maliciously
>> accessing the system for purposes such as blocking access to the system by
>> that use."
>>
>> If the logs can only be used for the "permitted uses" and it's just a
>> question of storing the raw data for six weeks, then I have no objection
>> with this proposal.
>>
>> Thank you,
>>
>> Vincent
>>
>>
>>
>> From: イアンフェッティ <ifette@google.com>
>> Date: Wed, 2 May 2012 08:47:53 -0700
>> Message-ID: <
>> CAF4kx8fAu5mcN6JCaZ9WHDQg9Kqtpnko7zMxobySVS-5g5xvBA@mail.gmail.com>
>> To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
>>
>> On last week's call, I took an action to write a proposal for protocol
>> data
>> in the first N weeks (ACTION-190 and ISSUE-142).
>>
>> My proposed text would be as follows, comments welcome:
>>
>> Protocol data, meaning data that is transmitted by a user agent, such as a
>> web browser, in the process of requesting content from a provider,
>> explicitly including items such as IP addresses, cookies, and request
>> URIs,
>> MAY be stored for a period of 6 weeks in a form that might not otherwise
>> satisfy the requirements of this specification. For instance, the data may
>> not yet be reduced to the subset of information allowed to be retained for
>> permitted uses (such as fraud detection), and technical controls limiting
>> access to the data for permitted uses may not be in place on things like
>> raw logs data sitting on servers waiting for processing and aggregation
>> into a centralized logs storage service.
>>
>> Within this six week period, a data collector MUST NOT share data with
>> other parties in a manner that would be prohibited outside of the six week
>> period. Similarly, a data collector MUST NOT use the data to build any
>> profile, or associate the data to any profile, of a user used for purposes
>> other than would be allowed outside of the the six week period. As
>> examples, a data collector MAY use the raw data within a six week period
>> to
>> debug their system, a data collector MAY use the raw data within the six
>> week period to build a profile of a user fraudulently or maliciously
>> accessing the system for purposes such as blocking access to the system by
>> that user, but the data collector MUST NOT build a profile to serve
>> targeted advertisements based on the user's past six weeks of browsing
>> activity.
>>
>> After the six week period has passed, only the subset of data necessary to
>> accomplish the permitted exceptions in this specification may be retained,
>> and the data must be controlled in such a way that only access to the data
>> for these permitted exceptions is allowed.
>>
>
>
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
>
>
Received on Wednesday, 9 May 2012 23:47:40 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC