- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 9 Apr 2015 15:12:26 -0700
- To: Justin Brookman <jbrookman@cdt.org>
- Cc: Tracking Protection Working Group <public-tracking@w3.org>
- Message-Id: <94D531F5-1A16-4DBC-89FA-3140D8B3442C@gbiv.com>
On Apr 9, 2015, at 1:09 PM, Justin Brookman wrote: > So, to be clear, Section 3.3 would read in full (forgive dodgy formatting): > When a third party to a given user action receives a DNT:1 signal in a related network interaction, that party may collect and use data about those network interactions when: > > a user has explicitly granted consent, as described below (Section 4. Consent); > data is collected for the set of permitted uses described below (Section 3.3.2 Permitted Uses); > or, the data is permanently de-identified as defined in this specification (Section 2.9 De-identification [ADD INTERNAL LINK]). > Other than under those enumerated conditions, that party MUST NOT > • collect data from this network interaction that would result in > data regarding this particular user being associated across > multiple distinct contexts; > > • retain, use, or share data derived from this particular user's > activity outside the context in which that activity occurred; nor, > > • use data about this particular user's activity in other contexts (e.g., to personalize a response to this network interaction) > EXAMPLE 2 > An embedded widget provider (a third party to users' interactions with various sites) counts visitors' country of origin and device type but removes identifiers in order to permanently de-identify collected data. For the purposes of this specification, the party is not tracking the user and can create a static site-wide tracking status resource with a tracking status value of N to indicate that status. > > Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action must not collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses must not place a unique identifier in cookies or other browser-based local storage mechanisms. > > ************* > > JB: The rest of third-party compliance would I think not be affected (apart from the replacement of the term "tracking data" with "that data" and "data about that activity" in 3.3.1.3 and Example 4, respectively): http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party-compliance > Hmm, I don't like the way that EXAMPLE hides those later requirements. Wouldn't it be better above the example, or maybe as a fourth bullet now that the order has been reversed? For the record, I don't consider those later requirements to be implementable. They originated in the June draft, without consensus, and keep dragging along in spite of the fact that they require a server to do something it simply cannot do: read the user's mind. The other requirements are implementable because a server can determine when it has received data about another context and exclude that data to avoid tracking. The same is not true about setting random identifiers in cookies, since those are set by all sorts of mechanisms that have no awareness of context, such as session identifiers for load balancing. ....Roy
Received on Thursday, 9 April 2015 22:12:50 UTC