Re: ISSUE-5: Consensus definition of "tracking" for the intro?

On Oct 11, 2013, at 3:11 AM, Mike O'Neill wrote:

> Roy,
>  
> The examples you give do not constrain tracking consent to the cross-domain situation.

The examples I gave demonstrated how the other proposed definitions
do not actually define tracking.  What they define is retention of
personal data. Hence, they far overreach the scope of this WG.

> Sure, when you visit a site they may track you, but they don’t have to. If you log in you are giving consent to be identified on subsequent visits (authenticated by a persistent unique id) but you have given consent. This is recognised by the ePrivacy directive as storage “strictly necessary to fulfil a service specifically requested by the user”, and in our standard by the UGE API or letting OOBC override DNT. If you visit your bank with DNT set they could say (and they have to anyway in Europe) “when you click the login button you are giving consent to us storing data in your browser so we can recognise your browser in future visits. This data will be deleted after X days if you do not visit us again within that period.”. There is no requirement for more clicks from the user, just that they be given a simple explanation of what is going on.

What you describe are provisions of the ePrivacy directive, not DNT.
They have almost nothing to do with the scope of our work other than
the fact that *some* mechanisms that perform tracking *do* conflict
with the provisions of the ePrivacy directive if prior consent is
not obtained.  DNT does not change that, in any way, and the bank has
to say exactly the same thing regardless of DNT because the bank has
no way of verifying that this specific user is the one who set DNT.

> If you casually browse a site without specifically identifying yourself by logging in or registering then in my opinion you should be informed before you are tracked.

Yes, that's a fine opinion to have, but it doesn't change the fact
that a site is not tracking you just because you logged in.
It is authenticating you.  There is a huge difference between
authenticating that a user at one site has access to their own
account at that site, and that same authentication data being used
to follow the user's activity at other sites.  The latter is clearly
an issue with federated identity services, and if we don't define
tracking correctly then we can't explain why logging in is
necessary to preserve privacy in some cases while at the same time
tracking based on login is a *potential* violation of privacy.

> Your point about CCTV is addressed by the permitted uses and purpose limitation.

No, it is not.  Permitted uses allow the law enforcement to track
a user.  There is no need to permit fixed camera observation of
private premises because data collection alone is not tracking.
The fact that it is collection of personal data and is subject to
data protection laws (even in the US) does not change the fact
that recording video at a single source, without combining it with
any other sources, does not amount to tracking.  DNT does not have
the same scope as data protection.

> The reason this is an issue is the early decision by this group to limit itself to cross-domain tracking, and as I have said this caused more difficulties than it solved (not least the loss of a level playing field). If we can quickly get to a meaningful consensus around the context qualification then I don’t wish to rock the boat but we should not reduce the clarity of the compliance spec by overloading it on to the definition of tracking.

No, the reason this is an issue is because many participants in the
working group are trying to address all privacy problems, including
the entire suite of data protection laws, under the rubric of tracking.

We are not chartered to do that.  Please stop.  This overreach is
killing our ability to solve the specific problem that this working
group was chartered to address.

....Roy