RE: ISSUE-5: Consensus definition of "tracking" for the intro? from Mike O'Neill on 2013-10-10 (public-tracking@w3.org from October 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 11 Oct 2013 00:17:14 +0100
To: "'John Simpson'" <john@consumerwatchdog.org>, "'Matthias Schunter $Intel Corporation$'" <mts-std@schunter.org>
Cc: <public-tracking@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'David Singer'" <singer@apple.com>
Message-ID: <01df01cec60e$db4ef630$91ece290$@baycloud.com>
Hi Roy, Matthias

 

How about we use option 4 (or a combination of options 3 & 4 with Rob's
non-normative text) for a definition of tracking and then add a derivative
definition of cross-domain tracking that contains the context qualification.

 

As in:

 

Cross-domain Tracking is a type of tracking in which data is collected or
retained by a party without the user being aware, i.e. by a party other than
the one in control of the web page the user has explicitly linked to or
visited. 

 

Non-Normative Text

This standard is intended to give a user the capability to limit
cross-domain tracking. In some jurisdictions the DNT signal could also be
taken to communicate explicit consent to wider data collection but the
standard does not address that.

 

The last bit is my attempt at non-normative sugar which might help make the
signal more useful in the EU.

 

Mike

 

From: John Simpson [mailto:john@consumerwatchdog.org] 
Sent: 10 October 2013 21:32
To: Matthias Schunter (Intel Corporation)
Cc: Mike O'Neill; public-tracking@w3.org; 'Roy T. Fielding'; David Singer
Subject: Re: ISSUE-5: Consensus definition of "tracking" for the intro?

 

Sorry for typos:

that should be " xxxx his suggested non-normative text:" at end of 1st
graph.

John

 

On Oct 10, 2013, at 1:15 PM, John Simpson <john@consumerwatchdog.org> wrote:





Hi Matthias,

 

I don't want to rain on your march toward consensus parade, but I have
trouble with the " across multiple parties' domains or services" language.
It seems to me Rob's language -- proposal 4 -- has it exactly right,
particular;y when you include is suggested uninformative text:

 

"Tracking is any form of collection, retention, use and/or application of
data that are, or can be, associated with a specific user, user agent, or
device. 

"non normative explanation: Tracking is not exclusively connected to unique
ID cookies. Tracking includes automated real time decisions, intended to
analyse or predict the personality or certain personal aspects relating to a
natural person, including the analysis and prediction of the person's
health, economic situation, information on political or philosophical
beliefs , performance at work, leisure, personal preferences or interests,
details and patterns on behavior, detailed location or movements. Tracking
is defined in a technological neutral way and includes e.g. cookie based
tracking technology, active and passive fingerprinting techniques."

I can live with what's in the the current editors draft:

 

Tracking is the retention or use, after a network interaction is complete,
of data that are, or can be, associated with a specific user, user agent, or
device.

 

Regards,

John

 

 

On Oct 10, 2013, at 3:15 AM, Matthias Schunter (Intel Corporation)
<mts-std@schunter.org> wrote:





Hi Mike,

thanks for your feedback!

I have two questions:
- Could you live with the proposed text if we decided not to change it?
- If not, are there specific (hopefully small) text changes that we could
make to allow you to live with this proposal?

Personal remark: While I agree with your points, it is important to note
that we aim for a text that is "good enough" and  does not need to be
perfect.
I.e., an outcome that introduces tracking in a understandable way while
covering 80% of what we mean would IMHO be good enough even if there are
some corner cases that are not captured 100% accurately.

Regards,
matthias
On 09/10/2013 22:11, Mike O'Neill wrote:



I agree with David Singer that this is unclear. It seems to say retention of
identifiers is OK within one domain origin but that would allow them by
third-party frames and via redirection via other origin hosts. I know we
don't mean that it could be read that way. To make it clear we would then
have to further qualify the definition, maybe later when it is used for
instance in the third-party compliance section. We would have to say data
cannot be retained if referer(sic) headers, URL query parameters,
postMessage events and whatever communicate cross-domain data i.e. that the
identifier is somehow "attributable" to another domain/service.

We could make this clear in the definition by adding some non-normative text
like:

Non-normative.
It follows from this that data such as unique identifiers cannot be retained
by a third-party if they can be associated with another host domain or
service.

Anyway, in my opinion the cross-domain qualification is already adequately
made elsewhere and putting it here just complicates things, so we should
remove "across multiple parties' domains or services and"  or use Option 3
or 4.

Mike


-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org]
Sent: 09 October 2013 18:36
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: ISSUE-5: Consensus definition of "tracking" for the intro?

Hi Team,

during our call, it seemed that the group was converging on a consensus for
this definition of tracking (option 5 by Roy):

         Tracking is the collection of data across multiple parties'
domains or services and retention of that data in a
         form that remains attributable to a specific user, user agent, or
device.

It is our "old" definition - corrected for grammar.

Questions:
  (a) Are there further required improvements that we need to introduce?
  (b) Are there participants that cannot live with this style/type of
definition (assuming we can provide the required final fine-tuning)?

Regards,
matthias
Received on Thursday, 10 October 2013 23:17:46 UTC