W3C home > Mailing lists > Public > public-tracking@w3.org > November 2012

Re: ISSUE-28: MRC presentation

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 2 Nov 2012 02:12:45 -0700
Message-Id: <FACDCC54-0B61-4C24-B639-36619AFA373C@gbiv.com>
To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
[This thread has nothing to do with ISSUE-28 (already closed).]

Folks, I know almost nothing about the MRC and care even less about
this debate, but it seems obvious from the materials already provided
that:

 1) MRC is about auditing the measuring techniques -- it doesn't
    sound like it performs any collection itself, nor is it a party
    to any protocol interaction relevant to DNT.  If it were,
    I assume it would treated just like an auditor.

 2) The original question was about how long a data controller that
    performed measurement (e.g., an advertising network billing function)
    would have to retain original source materials for the sake of
    complying with an audit.  It is not about data collection -- that
    is already covered by the permitted use for financial/audit.
    The only reason MRC was brought up is because they apparently
    have a specific retention requirement of one year, which would
    mean that a US company subject to MRC audits needs to retain the
    source data for a year regardless of DNT:1, but only to the extent
    necessary to support the measurements that it performed that
    are already permitted by DNT:1.  It is only one potential example
    of necessary retention and, IIRC, is already addressed in general
    by Nick's proposal for compliance.

 3) AFAICT, the suggested questions are about as relevant to the MRC
    as it would be to ask the SEC how they purchase stocks.

I have no idea if MRC is a legitimate organization or whether
its data retention requirements have any relevance to DNT
compliance.  Since they were only provided as a single point
example and the proposed requirements for compliance are based
on what is necessary for the data collector, not what is
necessary for all data collectors, I simply don't care.
Neither should anyone else.  At most, it might make for an
interesting test case for regulators, and they can investigate
such a case based on actual facts rather than suppositions.

I object to wasting any more of our meeting times on this subject.
If people want to do research on MRC, then do it on your own time,
or propose compliance text that would make the research relevant
to us.

....Roy

On Nov 1, 2012, at 11:49 PM, Rob van Eijk wrote:

> Two more questions:
> 
> 4/ Is MRC collecting identifiers based on fingerprinting, for example a hash of the user agent.
> 5/ If fingerprinting is used, is it the primary mechanism, or is it a fall back mechanism, when cookies fail/are not present.
> 
> Rob
> 
> Rigo Wenning schreef op 2012-11-01 23:36:
>> Chris,
>> 
>> here is the reminder that you wanted to try to find someone in MRC
>> who could present to the Working Group.
>> 
>> I think the best would be to get a set of questions to him/her. A
>> presentation and Q&A session would be done during the TP WG call.
>> 
>> I encourage Ed and others to help with the questions. I remember the
>> following:
>> 
>> 1/ How does opt-out work with MRC? Is data collection mandatory?
>> 2/ Is MRC collecting identified or identifiable data?
>> 3/ If 2/ is yes, are there plans to change that in the foreseeable
>> future?
>> 
>> Chris, feel free to suggest changes if you find the questions too
>> provocative (I find them exploratory as I don't know nothing about
>> MRC).
>> 
>> I talked to the chairs and Aleecia also said it is a good idea. So
>> can you help us to make this happen?
>> 
>> Rigo
Received on Friday, 2 November 2012 09:13:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:37 UTC