Re: ACTION-253 ISSUE: 119 and ACTION 208 ISSUE-148 Response signal for "not tracking" and definition for DNT:0 from David Singer on 2012-09-14 (public-tracking@w3.org from September 2012)

From: David Singer <singer@apple.com>
Date: Thu, 13 Sep 2012 17:02:48 -0700
To: David Wainberg <david@networkadvertising.org>
Cc: "Amy Colando (LCA)" <acolando@microsoft.com>, Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-id: <D665CEF4-0AD1-4305-820C-F5B52DAE4765@apple.com>

On Sep 13, 2012, at 16:42 , David Wainberg <david@networkadvertising.org> wrote:

> 
> On 9/13/12 4:48 PM, David Singer wrote:
>> On Sep 13, 2012, at 13:08 , "Amy Colando (LCA)" <acolando@microsoft.com> wrote:
>> 
>>> This is (one of) the items that continues to confuse me about the "no tracking" claim -- aren't all of these examples that David Singer cites below (including the original example of http://duckduckgo.com/) first parties?  In which case, having a first party say that they don't make use of the permitted uses that apply only to third parties makes little sense.  And I cannot imagine a scenario in which a third party would respond that they weren't making use of permitted use exceptions -- they simply wouldn't be present on the site at all.
>> Let's try some examples:
>> 
>> First parties that can say "we don't do tracking" -- general purpose sites, sites hosted by providers that only provide aggregate statistics, 'small' sites (think of high schools)
>> 
>> Third parties that can say "we don't do tracking" -- sites providing web resources like web badges, style sheets, and script libraries
>> 
>> These sites don't use anything a first party is allowed to do, let alone what a third party is allowed to do when it claims permissions, or gets an exception.  First-party sites that are 'non-tracking' can safely be embedded (if they allow it) in frames in other sites, for example (whereupon they now stand in a 3rd party position).
>> 
>> 
> These is where I get confused. Are we talking about data collection or use? Do you mean those sites would say they collect no data whatsoever? Or would they be saying they may collect some data but do not engage in the permitted uses? 
> 

ah, OK.  I am guessing that it would have to be mostly about collection, sure.  Otherwise, as you say, if they collect a lot of data which could be worked into tracking data, then we're into permitted uses.

In most protocols, 'not implementing' is usually a sign of something not being relevant.  The problem is, in this case, it's impossible to tell the difference between an 'innocuous' site and a site that does, in fact, engage in tracking, but hasn't yet implemented the protocol.  Honestly, having high schools add even a simple well-known-resource or/and a server config so that they statically serve a header is more than one would normally ask, but I can't think of any other way right now for these 'simple' sites that don't bother even to accumulate the data that might be worked into tracking data, to say so.

Having said all that, we probably have bigger fish to fry.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 14 September 2012 00:03:18 UTC