Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft) from Shane M Wiley on 2015-04-09 (public-tracking@w3.org from April 2015)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Thu, 9 Apr 2015 16:13:36 +0000 (UTC)
To: Justin Brookman <jbrookman@cdt.org>, Walter van Holst <walter@vanholst.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <1573401450.2835542.1428596016766.JavaMail.yahoo@mail.yahoo.com>

Justin,
I'm okay with this addition to the non-normative section.
- Shane
 Shane Wiley
VP, Privacy & Data Governance
Yahoo
      From: Justin Brookman <jbrookman@cdt.org>
 To: Walter van Holst <walter@vanholst.com> 
Cc: public-tracking@w3.org 
 Sent: Thursday, April 9, 2015 7:38 AM
 Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft)

Right, this is a different issue than the use of the term "tracking data."  Contractual agreements with third parties to not try to reidentify data sets are one way to ensure that deidentified data stays that way.  For example, the FTC's test for deidentification is (1) a reasonable belief that the data can't be reidentified, (2) a commitment not to reidentify, and (3) a commitment not to reidentify from everyone you give the data set to.
I personally would be fine adding language about this to this non-normative guidance --- would just adding "and agreements" to the second bullet do it?

   - technical safeguards that prohibit re-identification of de-identified data;
   - business processes and agreements that specifically prohibit re-identification of de-identified data;
   - business processes that prevent inadvertent release of de-identified data;
   - administrative controls that limit access to de-identified data
To be clear, we are not requiring contracts against reidentification --- this would just suggest it as one way to ensure that deidentified data sets stay deidentified.
Shane, you had objected to Walter's language as going beyond the scope of what was intended --- does my language go too far for you, or are you OK with identifying contracts as one potential tool for deidentification?

On Thu, Apr 9, 2015 at 8:47 AM, Walter van Holst <walter@vanholst.com> wrote:

On 2015-04-08 21:50, Justin Brookman wrote:

Walter had previously objected on the mailing list to removing
"tracking data" from the non-normative discussion of
de-identification.  However, participants on the call today didn't
think the removal of the term weakened that provision.
De-identification already requires technical processes to ensure that
*no one* can re-identify the data; the non-normative language simply
notes other prophylactic steps that can be taken to address the
persistent possibility of reidentification in the future.

For the record: I do not object to the removal of  the term "tracking data". I specifically provided alternative wordings that would allow for its removal while retaining the intent and scope of the text. I have always been of the opinion that we can have a good spec without such a term, even though it might be helpful for getting there.

The core of my objection is that in the new text the obligation for having "business processes" that preven re-identification could be read narrowly and would not prevent sharing de-identified data with a non-compliant party for the purpose of that party re-identifying that data. All while being able to claim DNT-compliance.

Regards,

 Walter

P.S. in the IRC log I noticed " if I'm embedded in the NYT and remember the user's visit to the NYT, that's not by itself tracking, I think.". I think that is a clear-cut case of tracking. A DNT-compliant third party embedded on the NYT website should basically ignore any information of me being on that site (while sending DNT:1) unless necessary for and confined to a permitted use, let alone which article. Like Shane correctly pointed out, rate-limiting is a permitted use, but that is not dependent on me being on the NYT website.

Received on Thursday, 9 April 2015 16:14:37 UTC