W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

RE: Proposal: all exemptions to be opt-out, and identity to be declared.

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sun, 30 Sep 2012 13:05:35 +0100
To: "'Fred Andrews'" <fredandw@live.com>, <public-tracking@w3.org>
Message-ID: <001e01cd9f03$e69ba250$b3d2e6f0$@baycloud.com>
Fred,

 

I like this one. The existing TPC is getting weighed down by endless
qualifications to the point of being incomprehensible to anyone outside the
group. The whole point of DNT is to put the decision (to allow themselves to
be tracked) into the hands of users and this simple idea  does that.

 

The user supplied UID could be embellished a bit. It has the problem that
clear ID on every request would be visible to anyone and would make UA
fingerprinting a doddle, and also spoil the idea of a contract between the
tracked and the tracker.

 

How about the UID (once enabled by the user) is generated as new on every
request but is based on a concatenation of the user id with a continuously
changing random value and encrypted using a key. The key could then be
exchanged between the UA and a website using a JS API (gated by a UI). Then
only the website given the key could track that user, and the user has
absolute control over the process.

 

Mike

 

 

From: Fred Andrews [mailto:fredandw@live.com] 
Sent: 30 September 2012 00:41
To: public-tracking@w3.org
Subject: Proposal: all exemptions to be opt-out, and identity to be
declared.

 

Many in the advertising industry have been pointing out a need to collect
some identifiable information to meet reporting requirements.  For example,
a need to be able to record the country that an ad is delivered to.   Such
collection conflicts with the charter of this group.   I propose that this
matter be resolved by adding a UA identifier to the DNT header or to a
complementary header, and to include the declared country of the user in the
header.   Advertisers would be permitted to both use this identifier to
track users and target ads and to use it for reporting purposes.  Users that
do not want to be tracked may change the identifier as they deem necessary.
Since it is under user control, advertisers would presumable not be held
responsible in contracts for differences between the users declared country
and their actual country and advertiser would have a record for proof.

Many in the advertising industry have expressed a need for exemptions to 'Do
Not Track'.  Any exemption without user choice conflicts with the charter of
this group.  I propose to resolve this matter by requiring that all
exemptions be assigned a UA header flag and that websites only be permitted
the exemption when allowed by an explicit flag.  Local laws and law
enforcement needs override the DNT code of conduct anyway so there is no
need to include this in the document.  The exemptions would include first
party use, make a distinction between first party use before a user has
explicitly identified themselves and after, and include the use of UA
fingerprinting, etc.   The server would be required to return the flags it
is complying with as confirmation, and if DNT were deemed as negotiable then
the server would return the flags it is prepared to comply with.

Some users have expressed a desire to be tracked and profiled and to have
targeted ads delivered to them.  With this proposal they can choose a unique
identifier for themselves which they can share among their user agents, and
can declare their country so that they get appropriate ads even when
connecting via a tunnel or ipv6.  Further they can enable all uses of their
information.

Some users have expressed a desire not to be tracked at all.  This proposal
allows them to opt-out of being fingerprinted and to ensure that all servers
they connect to agree not track them for any purpose at to change their
identity as they deem necessary.  I would imagine that users would at least
agree to tracking after they have explicitly identified themselves to a
website, by signing in, but a UA may wish to negotiate even this to make
sure the user has really explicitly consented.

I believe this proposal meets the charter of this group far better that the
current proposals and call on the current proposals to be rewritten and
renegotiated along these lines.

cheers
Fred
Received on Sunday, 30 September 2012 12:06:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC