Re: Mapping the "framework" to ISSUEs

Colleagues

Jonathan's work here is tremendously valuable as a reality check for the working group.  It makes it crystal clear that the "framework" has done little to move us forward on resolving long discussed issues,  many of which have competing text proposals. Frameworks and 30,000-foot overviews have their time and place, but that time is largely past. If this WG is to produce a DNT meaningful standard, we need to return to the documented issues, resolve them and produce text.  Frankly, I as increasingly skeptical that is possible.

Regards,
John

On May 7, 2013, at 1:04 AM, Jonathan Mayer <jmayer@stanford.edu> wrote:

> Working Group Colleagues,
> 
> Much of the proposed "framework," as I understand it, is a shorthand synthesis of disparate conversation strands rather than a substantive resolution of unresolved topics.  As preparation for this week's meeting, I found it helpful to map the framework against the longstanding and well-documented formal ISSUEs that we all have been working on.  I thought others in the group might similarly find the approach productive, so I've shared the mapping below.  I've bolded ISSUEs that seemed particularly relevant and frequently discussed.
> 
> Best,
> Jonathan
> 
>> 1. DNT would be honored by third parties that collect tracking data, and these third parties would not collect tracking data on any browser where the consumer has activated the DNT functionality. Third parties could still collect data for the narrow set of permitted uses. For DNT:1 users, if an entity has a permitted basis for collection of such information, the entity can use the data only for the permitted uses.
> ISSUE-2: What is the meaning of DNT (Do Not Track) header?
> ISSUE-5: What is the definition of tracking?
> ISSUE-9: Understand all the different first- and third-party cases.
> ISSUE-10: What is a first party?
> ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)
> ISSUE-17: Data use by 1st Party
> ISSUE-18: Collection definition (not sure I said the prefix before?)
> ISSUE-19: Data collection / Data use (3rd party)
> ISSUE-20: Different types of data, what counts as PII, and what definition of PII
> ISSUE-22: Still have "operational use" of data (auditing where of where ads are shown, impression tracking, etc.)
> ISSUE-23: Possible exemption for analytics
> ISSUE-24: Possible exemption for fraud detection and defense
> ISSUE-25: Possible exemption for research purposes
> ISSUE-28: Exception for mandatory legal process
> ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data?
> ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions)
> ISSUE-34: Possible exemption for aggregate analytics
> ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization?
> ISSUE-39: Tracking of geographic data (however it's determined, or used)
> ISSUE-49: Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party?
> ISSUE-54: can first parties use declared data while in a 3rd party context?
> ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items?
> ISSUE-64: How do we describe non-identifiable data
> ISSUE-65: How does logged in and logged out state work
> ISSUE-71: Does DNT require purging or modifying data collected in the past (not under DNT)?
> ISSUE-72: Basic principle: independent use as an agent of a first party
> ISSUE-73: In order for analytics of other contracting to count as first-party: by contract, by technical silo, both silo and contract
> ISSUE-74: Are surveys out of scope?
> ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content
> ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about dat moving between sites
> ISSUE-91: Might want prohibitions on first parties re-selling data to get around the intent of DNT
> ISSUE-92: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking?
> ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this?
> ISSUE-99: How does DNT work with identity providers?
> ISSUE-103: We're not sure where the exceptions should be and ensure they are categorically captured in the based 3rd party prohibition statements
> ISSUE-117: Terms: tracking v. cross-site tracking
> ISSUE-122: Should we have use limitations on referrer data?
> ISSUE-134: Would we additionally permit logs that are retained for a short enough period?
> ISSUE-142: How should protocol data be allowed to be used in the first N weeks?
> ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties
> ISSUE-169: What do we mean by tracking?
> ISSUE-170: Definition of and what/whether limitations around data append
> ISSUE-178: Add "Marketing" to list of permitted uses in Compliance document
> ISSUE-179: Make sure in the spec that we clarify information provided explicitly by a user (e.g. data typed into a form on a site with a clear privacy policy) is not subject to DNT.
> ISSUE-180: Add "advertising" as a Permitted Use in the Compliance Document
> ISSUE-181: Finalize language regarding multiple first parties
> ISSUE-188: Definition of unlinkable data
> ISSUE-190: Sites with multiple first parties
> ISSUE-191: Non-normative Discussion of De-Identification
>> 2. Non-compliance with DNT would be a DAA violation.
> ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)?
> ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes
> ISSUE-48: Response from the server should indicate the server will honor it
> ISSUE-53: How should opt-out cookie and DNT signal interact?
> ISSUE-56: What if DNT is unspecified and an opt-out cookie is present?
> ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present?
>> 3. The DAA would modify its current codes, notably including the current “market research” and “product development” exceptions to collection limits, including evaluation of potential retention limitation.
> ISSUE-22: Still have "operational use" of data (auditing where of where ads are shown, impression tracking, etc.)
> ISSUE-25: Possible exemption for research purposes
>> 4. For DNT:1 users, there would be no persistent IDs if there is not a permitted use. The use of persistent IDs for permitted uses would be limited to the extent practical, and any such persistent IDs would be used only for any such permitted use. There would be of a broader study or effort to address data hygiene in the advertising eco-system, with the aim of identifying feasible, privacy-protective practices over time.
> Discussion of unique IDs cuts across many of the ISSUEs under #1.
>> 5. We would determine a way to have the DAA codes become a way for compliance with the W3C syntax. Thus, the DAA standard with the above modifications would be the working standard for companies. Adapt the W3C standard to conform to this approach. DAA would support and enforce against that.
> ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)? 
>> 6. DNT would be off by default. Specific standard on how to implement:
>> a. Through browsers—this is about browsers and not other user agents. Other user agents (UA) would not set a DNT flag in this round of the W3C work, and would be prohibited from activating a browser’s DNT flag.
>> b. The browser choice setting would be available in the browser settings panel, accessible from the traditional browser settings—not through an installation process or other similar mechanism.
>> c. Develop technological measures that, together with non-technological measures, greatly reduce the risk that anyone other than consumers are setting the choice. Develop a process on how to achieve this in a short time frame (3 months).
>> d. Brief and neutral description of the impact of turning the setting on. The browser choice setting would communicate the following to consumers:
>> i. The fact that if the browser choice setting is activated it limits collection and use of web viewing data for certain advertising and other purposes;
>> ii. The fact that when the browser setting is activated some data may still be collected and used for certain purposes and a description of such purposes; and
>> iii. The fact that if a consumer affirmatively allows a particular business to collect and use information about web viewing activities that the activating the setting will not limit collection and use from such entity.
> ISSUE-4: What is the default for DNT in client configuration (opt-in or opt-out)?
> ISSUE-8: How do we enhance transparency and consumer awareness?
> ISSUE-13: What are the requirements for DNT on apps/native software in addition to browsers?
> ISSUE-33: Complexity of user choice (are exemptions exposed to users)?
> ISSUE-41: Consistent way to discuss tracking with users (terminology matters!)
> ISSUE-42: Feedback to the user from the browser when Do Not Track is turned on
> ISSUE-95: May an institution or network provider set a tracking preference for a user?
> ISSUE-104: Could use a better defn of user agent, rather than browser
> ISSUE-143: Activating a Tracking Preference must require explicit, informed consent from a user
> ISSUE-144: User-granted Exceptions: Constraints on user agent behavior while granting and for future requests?
> ISSUE-149: Compliance section for user agents
> ISSUE-150: DNT conflicts from multiple user agents
> ISSUE-151: User Agent Requirement: Be able to handle an exception request
> ISSUE-152: User Agent Compliance: feedback for out-of-band consent
> ISSUE-153: What are the implications on software that changes requests but does not necessarily initiate them?
> ISSUE-161: Do we need a tracking status value for partial compliance or rejecting DNT?
> ISSUE-162: If we have a mechanism for indicating partial compliance, how do we convey to the user why, and what is
> ISSUE-163: How in the spec should we ensure user agents don't twist a user preference one way or another?
> ISSUE-172: How should user agents be required to provide information about DNT?
> ISSUE-176: Requirements on intermediaries/isps and header insertion that might affect tracking
> ISSUE-177: Should we specify compliance requirements for software and hardware other than user agents? For example, is a web server package compliant if it tweaks DNT headers?
> ISSUE-186: Ensure that browsers communicate DNT functionality accurately
> ISSUE-194: How should we ensure consent of users for DNT inputs?
>