Re: Proposals for Compliance issue clean up from Alan Chapell on 2012-11-12 (public-tracking@w3.org from November 2012)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Mon, 12 Nov 2012 09:53:55 -0500
To: Mike O'Neill <michael.oneill@baycloud.com>, <public-tracking@w3.org>
CC: <ifette@google.com>, <tlr@w3.org>
Message-ID: <CCC67488.257ED%achapell@chapellassociates.com>
Good Morning Mike, pls see below…


From:  Mike O'Neill <michael.oneill@baycloud.com>
Date:  Saturday, November 10, 2012 10:40 AM
To:  <public-tracking@w3.org>
Cc:  <ifette@google.com>, <tlr@w3.org>
Subject:  RE: Proposals for Compliance issue clean up
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Sat, 10 Nov 2012 15:41:40 +0000

> It has been pointed out to me that my last message may have been too brief to
> be constructive, for which I apologise.
>  
> I was simply offering an opinion, namely that the early decision (to make the
> compliance spec mean different things to sites receiving DNT:1)  is one of the
> reasons our process is stuck, which in turn has opened it up to ridicule. My
> interjection was to what I perceived as an example of this, applying the 1st
> party rule to redirector hosts.

Agree completely re: the 1st party and 3rd party distinctions – when taken
to the extreme – are creating all kinds of issues with the spec.
Specifically, (and at risk of sounding like a broken record) significant
anti-competitive issues, a negative impact upon diversity of content choices
for Users, and (quite ironically) little to no improvement on consumer
privacy choices. Although given that we haven't done a great job as a group
of articulating the privacy harms we're trying to address, I suspect this
final point may be lost on some.

I may have missed your point re: redirector hosts. What is the issue we're
trying to get at by pushing for redirector hosts to be treated as 3rd
parties?

>  
> I think it also underlies the emotional reaction to debates shown by some,
> either because they feel disadvantaged by the lack of a level playing field,
> or they feel that the original conception of DNT as a simple declarative
> indication of intent has been lost.
>  
> I believe the idea was a compromise in order to reach agreement, but that has
> patently not happened. In fact it has had the opposite effect.
>  
> Because only servers accessed in a 3rd party context need to amend their
> business practices, companies naturally try to ensure their operation is in
> the other category. This has led to continued debate about how the  categories
> are defined and differentiated  in the TPC and overly complex additions of
> protocol elements to the TPE. For example, extra qualifiers in the request and
> the response headers have had to be invented, which Ian pointed out was
> becoming tedious.
>  
> I also think this had made reaching agreement on exemptions more difficult,
> because DNT has a greater impact on parties that rely on 3rd party elements
> and do not have the high traffic sites. This fundamental unfairness has led to
> some inventing ever more exemption categories to get their operations off the
> hook.
>  
> My opinion is that there should be no difference in the compliance spec
> between 1st and 3rd parties, the DNT:1 signal should mean UUIDs must not be
> allocated or used without consent, and we should put more effort in designing
> an effective and transparent exception protocol. As has been pointed out many
> times this distinction cannot apply in Europe anyway. The reason most of us
> are here is to respond to people’s unease about privacy and loss of trust in
> the web, and we should primarily address that.

As I've said, I'm increasingly uncomfortable with a complete first party
immunity to the DNT spec. But outside of trying to reign this notion in a
bit, I've been unable to come up with a solution that would not result in
accusations that I'm trying to blow up the whole process here.

Can you sketch out your idea a bit more? Are you advocating that items like
frequency capping would be covered under Permitted Uses? Or are you saying
that the storage of ANY UDID (other than fraud, security, etc) post
enactment of DNT would be off limits?

>  
> Mike
>  
>  
>  
> 
> From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
> Sent: 10 November 2012 09:20
> To: ifette@google.com
> Cc: public-tracking@w3.org
> Subject: RE: Proposals for Compliance issue clean up
>  
> Ian,
>  
> Redirections are invisible to users so we cannot give the parties that host
> them carte blanche to ignore DNT. The 1st party/ 3rd party distinction is
> starting to make this whole process look ridiculous.
>  
> Mike
>  
> From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
> Sent: 09 November 2012 21:07
> To: Aleecia M. McDonald
> Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)
> Subject: Re: Proposals for Compliance issue clean up
>  
> 
> Aleecia, there was proposed text as an alternative to ISSUE-97/ACTION/196. See
> my work on ACTION-303 and proposals on that thread.
> http://www.w3.org/2011/tracking-protection/track/actions/303
> 
>  
> 
> In particular, I am not satisfied with redirects being treated as third
> parties and would object to that concept.
> 
>  
> 
> -Ian
> 
>  
> 
> On Fri, Nov 9, 2012 at 12:04 PM, Aleecia M. McDonald <aleecia@aleecia.com>
> wrote:
> Here are places we might have straight-forward decisions. If there are no
> responses within a week (that is, by Friday 16 November,) we will adopt the
> proposals below.
> 
> 
> For issue-97 (Re-direction, shortened URLs, click analytics -- what kind of
> tracking is this?)  with action-196, we have text with no counter proposal.
> Unless someone volunteers to take an action to write opposing text, we will
> close this with the action-196 text.
>         PROPOSED: We adopt the text from action-196,
> http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html
> 
> For issue-60 (Will a recipient know if it itself is a 1st or 3rd party?) we
> had a meeting of the minds
> (http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0129.html) but
> did not close the issue. We have support for 3.5.2 Option 2,
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def
> -first-third-parties-opt-2, with one of the authors of 3.5.1 Option 1,
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def
> -first-third-parties-opt-2 accepting Option 2. There was no sustained
> objection against Option 2 at that time. Let us find out if there is remaining
> disagreement.
>         PROPOSED: We adopt 3.5.2 Option 2,
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def
> -first-third-parties-opt-2
> 
> For action-306, we have a proposed definition with accompanying non-normative
> examples
>         PROPOSED: We adopt the text from action-306 to define declared data,
> to be added to the definitions in the Compliance document,
> http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0296.html
>         PROPOSED: We look for volunteers to take an action to write text
> explaining when and how declared data is relevant (See the note in 6.1.2.3,
> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#fir
> st-party-data) to address issue-64
> 
>         Aleecia
>
Received on Monday, 12 November 2012 14:54:34 UTC