RE: do not track list? from Chappelle, Kasey, VF-Group on 2010-11-17 (public-privacy@w3.org from October to December 2010)

From: Chappelle, Kasey, VF-Group <Kasey.Chappelle@vodafone.com>
Date: Wed, 17 Nov 2010 13:49:08 +0100
To: "Thomas Roessler" <tlr@w3.org>, "Rigo Wenning" <rigo@w3.org>
Cc: <public-privacy@w3.org>
Message-ID: <DED01886A1779C459E4D5C8985C8D3DE0202089E@VF-MBX19.internal.vodafone.com>

Tracking has privacy implications regardless of whether it is
pseudonymised or anonymised, as long as single individual profile is
created. Very few network advertisers, for example, currently connect a
profile to any information that would generally be considered
"identifiable", but these programmes are still heavily scrutinised. See,
for example, the discussion in the FTC's self-regulatory principles,
here: 
http://www.ftc.gov/opa/2009/02/behavad.shtm

So it's hard to believe that any do-not-track solution would include a
carveout for pseudonymous or anonymous profiling. A more relevant
question, though, and one that I have not seen a clear answer to, is
whether it would also apply to aggregate tracking - the kind of
statistical analysis that does not capture individual profiles, but does
do some kind of tracking at the very lowest level to create those
statistics (unique visitors, for example). Some regulators already
consider this too to be privacy-invasive (see, for example, Germany's
dealings with Google Analytics:
http://eu.techcrunch.com/2009/11/24/google-analytics-illegal-germany/) 

-----Original Message-----
From: public-privacy-request@w3.org
[mailto:public-privacy-request@w3.org] On Behalf Of Thomas Roessler
Sent: 17 November 2010 12:29
To: Rigo Wenning
Cc: Thomas Roessler; public-privacy@w3.org
Subject: Re: do not track list?

On 15 Nov 2010, at 15:02, Rigo Wenning wrote:

>
http://www.nytimes.com/2010/11/10/business/media/10privacy.html?pagewant
ed=all&nl=todaysheadlines&emc=a26
> 
> there is a suggestion to have "do not tracking" lists following
> the example of the "do not call" lists. They imagine a browser 
> button or a button on the page. 
> 
> This looks like something where a discussion with technical folks 
> would be beneficial for the regulators. 

+1

It looks like some folks are working on a specific proposal:
	http://donottrack.us/

The basic idea: Put "X-Do-Not-Track: 1" into HTTP headers.  It would be
interesting to look at deployment (and compliance) incentives for this
technology, and at what it actually means for a user not to be tracked.

Also, what's the scope of this sort of exercise -- Do I opt out of all
tracking, including pseudonymous profiles?  Do I only opt out of
tracking that identifies me?

Thoughts?

--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)

Received on Wednesday, 17 November 2010 12:49:37 UTC