Re: action-190

I am still confused as to what this grace period is supposed to 
accomplish, and I worry that it's hard to have this discussion in 
isolation from (1) what are the permitted uses and (2) what identifiers 
can be used by third parties when DNT is on.

Ian's proposal envisions at least some immediate restrictions on the use 
of the data --- namely, that the data cannot go into a behavioral 
profile or be used to display targeted ads, and it can't be transferred 
to a third party.  What otherwise non-permitted uses are we concerned 
about?  Is the benefit of this provision contingent upon what we later 
agree to be permitted uses --- such as fraud prevention/research/product 
improvement/debugging?  I think I would be comfortable with allowing 
some of those more controversial uses during an initial grace period (or 
more to the spirit of Ian's proposal, perhaps anything goes except 
transferring or subsequently customizing the user experience), but six 
weeks seems excessive.  I would feel much more comfortable limiting to 
two, though if someone wants to make an argument that companies can't 
figure out how to treat that data in two weeks (other than agreeing not 
to use it for profiling or transfer it?) than go ahead.

Also, people are likely to have different reactions to this concept 
depending on whether the third party is allowed to use unique 
identifiers, a point on which the two leading proposals at the last 
face-to-face differed markedly.

Justin Brookman
Director, Consumer Privacy
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 5/30/2012 12:50 AM, Shane Wiley wrote:
>
> Aleecia,
>
> What does the six week period buy a 3^rd party?  If our approach is 
> "use based" (i.e. may only use data for a few very limited purposes) 
> and those are in force from the moment you "collect" a log file entry, 
> I'm not seeing why the six weeks is valuable.  As long as the data is 
> not used for anything other than a Permitted Use, then the timeframe 
> can be 1 second or 3 months prior to its use, unlinking, or 
> destruction.  This seems like a backdoor approach to establishing an 
> arbitrary data retention limit but I'm not seeing the value if the 
> data is never "used" for anything outside of a Permitted Use.    If a 
> 3^rd party retains data for ANY of the Permitted Uses, it appears to 
> trump this provision.  Is this simply to remove the risk of government 
> intrusion requesting a 3^rd party's raw log files?
>
> I would recommend we remove this language altogether and move back to 
> the current "use based" model for retention discussions.
>
> - Shane
>
> *From:*Aleecia M. McDonald [mailto:aleecia@aleecia.com]
> *Sent:* Tuesday, May 29, 2012 2:46 PM
> *To:* public-tracking@w3.org (public-tracking@w3.org)
> *Subject:* action-190
>
> In the midst of writing the agenda for tomorrow I realized I was 
> spending too much space on log files and should pull this out into a 
> different message.
>
> To go back to the point of this issue, we are tying to find a way to 
> give companies flexibility when they do not yet know what data they 
> hold in a log file. We are trying to find a path such that they do not 
> have to operate in real-time, with all of the engineering challenges 
> entailed.
>
> We have proposed text from Ian, which we discussed on the 9 May 
> conference call. We ran into a few issues on the call:
>
> A. People not supporting Ian's text simply because they had not 
> reviewed it. At this point there has been AMPLE time for review. We 
> shall not have that issue again tomorrow.
>
> B. Confusion that Ian's proposal applies to first parties.
>
> - My read is that some of this confusion stems from the mistaken 
> notion that data after six weeks must be discarded, as opposed to 
> processed. We may need to clarify the text to make that clear if that 
> confusion is wide-spread. We can talk about this on the call if needed.
>
> - As Roy points out, at the moment log files are written, it may not 
> be clear if data are first- or third-party unless we want to insist on 
> real-time processing, which is part of what we're trying to avoid in 
> the first place. As such, any party that _could_ be collecting log 
> file data as a third-party will run into wanting time to process their 
> logs.
>
> SUGGESTION: we add additional text to point out that for those who 
> know they are always only first parties, they can do as they like with 
> log file data so long as they are in compliance with other first party 
> data practices. That will be the end result either way, but we can 
> make this clearer I think.
>
> C. Confusion around the notion of processing a log file as a one-time 
> or multi-time event. The consensus we had in DC assumed processing as 
> a one-time event: we were working on something like "you may hold log 
> file data for a short time until you process it, at which time the 
> data must then comply with DNT rules for you." What we have since 
> heard from Ian is that log processing is something that happens on a 
> rolling basis. We then started down a path of complexity of what 
> would, or would not be, permitted uses for log file data, and that 
> created a new wave of confusion and frustration. This led to a 
> counter-proposal from Vincent 
> (http://lists.w3.org/Archives/Public/public-tracking/2012May/0171.html) of: 
>
>
> Similarly, a data collector MUST NOT use the data for purposes other 
> than those allowed outside of the six week period.
>
> SUGGESTION: we adopt Vincent's change, which simplifies much.
>
> We might also refer to the rest of the text for details on the fraud 
> use rather than attempt to characterize it here, and illustrate more 
> clearly that this is not a block on first parties. Specifically, we 
> might tighten the original text of:
>
>                         As examples, a data collector MAY use the raw 
> data within a six week period to debug their system, a data collector 
> MAY use the raw data within the six week period to build a profile of 
> a user fraudulently or maliciously accessing the system for purposes 
> such as blocking access to the system by that user, but the data 
> collector MUST NOT build a profile to serve targeted advertisements 
> based on the user's past six weeks of browsing activity.
>
> to:
>
>                         As examples, a data collector MAY use the raw 
> data within a six week period for a permitted use like <link>fraud 
> prevention</link> or to create reports with 
> <link>unidentifiable data</link>, but a third party data collector 
> MUST NOT build a profile to serve targeted advertisements based on the 
> user's past six weeks of browsing activity.
>
> Here's how that all rolls up together:
>
> Protocol data, meaning data that is transmitted by a user agent, such as a web browser, in the process of requesting content from a provider, explicitly including items such as IP addresses, cookies, and request URIs, MAY be stored for a period of 6 weeks in a form that might not otherwise satisfy the requirements of this specification. For instance, the data may not yet be reduced to the subset of information allowed to be retained for permitted uses (such as fraud detection), and technical controls limiting access to the data for permitted uses may not be in place on things like raw logs data sitting on servers waiting for processing and aggregation into a centralized logs storage service.
>   
> Within this six week period, a data collector MUST NOT share data with other parties in a manner that would be prohibited outside of the six week period. Similarly, a data collector MUST NOT use the data for purposes other than would be allowed outside of the six week period. As examples, a data collector MAY use the raw data within a six week period for a permitted use like<link>fraud prevention</link>  or to create reports with<link>unidentifiable data</link>, but a third party data collector MUST NOT build a profile to serve targeted advertisements based on the user's past six weeks of browsing activity.
>   
> After the six week period has passed, all other requirements of the DNT specification apply.
>
> Let's talk this through on the call and get this closed tomorrow.
>
> Aleecia
>