Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft) from Justin Brookman on 2015-04-09 (public-tracking@w3.org from April 2015)

From: Justin Brookman <jbrookman@cdt.org>
Date: Thu, 9 Apr 2015 12:30:18 -0400
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <CAF2uvujwa5E8TbTw+Pb4gynw=TC7=6PcdE5TH0NAgE3h7GzOeQ@mail.gmail.com>
I don't see how any of this could be characterized as a "massive" change.
Which change do you object to --- the removal of "tracking data" from the
non-normative section of de-ID, the inclusion of agreements within the
non-normative section of de-ID, the removal of "tracking data" from third
party compliance, or something else?

The data minimization section (
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#data-minimization-and-transparency)
that addressed the issue of unique identifiers was resolved months ago; you
withdrew your change proposal on unique identifiers because you were
satisfied with the existing text. That section currently says A party must
not rely on unique identifiers if alternative solutions are reasonably
available.

On Thu, Apr 9, 2015 at 11:21 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Also for the record:  I strongly object to such late and massive changes
> being made to the text, especially the de-identification section, which was
> the result of much consensus building and a formal Call for Objections, and
> now also to the third-party compliance section  which contained the essence
> of the document .
>
> Astonishingly, the text no longer contains any reference to personal
> identifiers which, as I have said - and everybody knows, is the intrinsic
> mechanism of tracking. The logical structure has also been inverted so
> there is now an assumption of collection, with compliance defined by
> explicit conditions for processing. These conditions are opaque and
> unintelligible to users and implementers. A lawyer could drive a coach and
> horses through them, letting bodies claim compliance while in fact not
> changing their behaviour at all.
>
> The most important question any implementer will ask:
>
> "Can a server executing a DNT request to a third-party resource use a
> persistent UID cookie, or another method that recognise the user in other
> interactions over time?"
>
> This document now has no answer to that.
>
> For the first time in years I was 30 minutes late to the 1 hour call,
> which had finished early by the time I arrived. I therefore ask that the
> issue be re-addressed next week.
>
>
> Mike
>
> > -----Original Message-----
> > From: Walter van Holst [mailto:walter@vanholst.com]
> > Sent: 09 April 2015 13:47
> > To: public-tracking@w3.org
> > Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors
> > draft)
> >
> > On 2015-04-08 21:50, Justin Brookman wrote:
> >
> > > Walter had previously objected on the mailing list to removing
> > > "tracking data" from the non-normative discussion of
> > > de-identification.  However, participants on the call today didn't
> > > think the removal of the term weakened that provision.
> > > De-identification already requires technical processes to ensure that
> > > *no one* can re-identify the data; the non-normative language simply
> > > notes other prophylactic steps that can be taken to address the
> > > persistent possibility of reidentification in the future.
> >
> > For the record: I do not object to the removal of  the term "tracking
> > data". I specifically provided alternative wordings that would allow for
> > its removal while retaining the intent and scope of the text. I have
> > always been of the opinion that we can have a good spec without such a
> > term, even though it might be helpful for getting there.
> >
> > The core of my objection is that in the new text the obligation for
> > having "business processes" that preven re-identification could be read
> > narrowly and would not prevent sharing de-identified data with a
> > non-compliant party for the purpose of that party re-identifying that
> > data. All while being able to claim DNT-compliance.
> >
> > Regards,
> >
> >   Walter
> >
> > P.S. in the IRC log I noticed " if I'm embedded in the NYT and remember
> > the user's visit to the NYT, that's not by itself tracking, I think.". I
> > think that is a clear-cut case of tracking. A DNT-compliant third party
> > embedded on the NYT website should basically ignore any information of
> > me being on that site (while sending DNT:1) unless necessary for and
> > confined to a permitted use, let alone which article. Like Shane
> > correctly pointed out, rate-limiting is a permitted use, but that is not
> > dependent on me being on the NYT website.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using gpg4o v3.4.103.5490 - http://www.gpg4o.com/
> Charset: utf-8
>
> iQEcBAEBAgAGBQJVJpkPAAoJEHMxUy4uXm2JbLAH/2jxWxuTwhYHH2EmFZUAGQRy
> iTTm1GAMwLO17ts7Mozrc4RrA1VzxbNidfun3QpZLKlCdFGP9ujq8V/GQgzvuw3Q
> qLXurSuF4rlG6nJlxGC/o+w8DNlNKHHptL8PxACG/AfHH1DF4+fzFt5f89n0xzIl
> iEidYY8GJInfOekwOs67+xfo+lipfmE+Pq2VGAPK57k4DbBIy1Va2wzlC99yfQ4f
> Cm1pz8iEOKTcA5xdUKoYk06vLqP21Gxu5wCGO9f53JynNSK16U71SQeonevVC4Pg
> ++UMIM/uBPLXds21xXPL5FWiI3HkUX+G477hxGNwRTVaZGorzK/2inwYF/OAu9s=
> =zCW+
> -----END PGP SIGNATURE-----
>
>
Received on Thursday, 9 April 2015 16:31:10 UTC