Re: June Change Proposal, tracking

On Jun 30, 2013, at 23:29 , Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jun 27, 2013, at 3:52 PM, David Singer wrote:
>> On Jun 26, 2013, at 5:38 , Roy T. Fielding <fielding@gbiv.com> wrote:
>> 
>>> This is ISSUE-5
>>> 
>>> The June draft has a definition of tracking that is not consistent
>>> with the rest of our protocol,
>> 
>> can you explain in what way?  It would help me understand what needs fixing.
> 
> There is a lot of data that can be associated with a specific user,
> user agent, or device.  IP address, screen resolution, window size,
> and request-URI are the obvious ones.  For the most part, sites
> that aren't in the business of tracking don't know what parts of
> a request might be unique.
> 
> If the definition of tracking is met by a common logfile kept
> for a few days, then all sites track.

well, that's why we have a raw data permission (well, we had it, and I propose putting it back).  You're right, a raw log contains a lot of the 'ingredients' needed to build a tracking database.  We need to say something intelligent about it.

>  If we want to limit the
> practice of actively following a user across distinct sites,
> as opposed to retaining information at a single site that just
> happens to be unique, then we should define "Do Not Track"
> according to what we are limiting.

As you say, I previously floated the idea that users might be willing to allow sites to record 'tunnel vision' only their interaction with a user, and nothing about other sites.  Since this allows some degree of tracking by the 3rd parties, and since the whole 1st/3rd party distinction has problems (it's not machine testable, for a start), I suggested that, as a trade-off to allowing this degree of tracking, we could put all parties under the same rules.  This didn't fly.  I still think it was worth exploring, as some of the 'permissions' might not be needed either.

Personally, I am comfortable with the 'gut level' definition of tracking we have, less comfortable with the party distinctions, and not crazy about the permissions.  But the definition, permissions, and party distinction we have today do hang together.

Maybe there is yet another model that hangs together (other than today's 1st/3rd + permissions, and my 'tunnel vision' model), but I fear it needs explicit working through, and I also fear it's very late in the process to change fundamental model.

> If not, then we should state up front that all websites track
> and Do Not Track will not turn that off.

Or, we can do the raw data permission.

> 
>>> nor with what the user is asking us
>>> to turn off when sending DNT:1.
>> 
>> I am not sure any of us are qualified to speak on behalf of the "universal user", but in several workshops it became clear that the users expected sites "to stop remembering information about me" which is roughly what the current definition says.  But nonetheless, what do you think users are asking for?
> 
> To not follow them across unrelated contexts.  Whether context
> in that sense is defined as a single site or a group of related
> sites doesn't matter to me, so long as we are consistent.
> 
> DNT:1 does not mean "don't remember anything about me" because
> we don't want the user's first-party web experience to suffer
> horrendously just for the sake of turning off third-party tracking.


We also allow much more latitude to the 1st party today, basically for precisely that reason.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 1 July 2013 18:06:50 UTC