Re: LCWD: Tracking Compliance and Scope from Nick Doty on 2015-12-16 (public-tracking-comments@w3.org from December 2015)

From: Nick Doty <npdoty@w3.org>
Date: Tue, 15 Dec 2015 23:16:31 -0800
To: timeless <timeless@gmail.com>
Cc: public-tracking-comments@w3.org, David Singer <singer@apple.com>, "fielding@gbiv.com" <fielding@gbiv.com>
Message-Id: <0A19F338-733D-4041-85B2-73C90D884062@w3.org>
Hi Josh,

Many thanks for your comments. Replies inline.

> On Aug 25, 2015, at 7:31 PM, timeless <timeless@gmail.com> wrote:
> 
> Tracking Compliance [1]
> 
>> That confidence may result from ensuring or demonstrating that it is no longer possible to:
>>   isolate some or all records which correspond to a device or user;
>>   link two or more records (either from the same database or different databases), concerning the same device or user;
> and/or ?
>>   deduce, with significant probability, information about a device or user.

Corrected, to include "or", since all are relevant and the clause is negative.

>> The restrictions might include, for example:
>>   technical safeguards that prohibit re-identification of de-identified data;
>>   business processes that specifically prohibit re-identification of de-identified data;
>>   business processes that prevent inadvertent release of de-identified data;
> and/or ?
>>   administrative controls that limit access to de-identified data.

This is a list of examples, any or all of which might be included. I'm not adding a conjunction to this one.

>> A party collects data received in a network interaction if that data remains within the party’s control after the network interaction is complete.
>> In order to indicate a party's compliance with a user's expressed tracking preference as described in this specification for a given resource, an origin server:
> 
> you aren't consistently using plain/fancy quotes

Fixed to all plain quotes. (Welcome input from editors on this point if there is a common expectation of fancy quotes. I believe tracking-dnt also has a mix at the moment.)

>> When a third party to a given user action receives a DNT:1 signal in a related network interaction, that party MAY collect and use data about those network interactions when:
> 
>> 1. a user has explicitly granted consent, as described below (Section 4. Consent);
>> 2. data is collected for the set of permitted uses described below (Section 3.3.2 Permitted Uses);
> 
> usually the conjunction is at the end of the preceding line, not at
> the beginning of the next item:

Fixed, thanks.

>> 3. or, the data is permanently de-identified as defined in this specification.
> 
>> Other than under those enumerated conditions, that party:
> 
>> 1. MUST NOT collect data from this network interaction that would result in data regarding this particular user being associated across multiple contexts;
> see here:
>> 2. MUST NOT retain, use, or share data from this particular user's activity outside the context in which that activity occurred; and
>> 3. MUST NOT use data from network interactions with this particular user in a different context.
> 
> I don't see any reason for either of these lists to be numbered
> instead of bulleted.

It has been useful in discussions to have the lists numbered, because people often refer to the "second requirement", or say in conversation "#3 means that...".

>> Examples of using a graduated response for data minimization in security and fraud prevention include:
> 
> capitalize:
>> recording all use from a given IP address range, regardless of DNT signal, when the party believes it is seeing a coordinated click fraud attack on its service from that IP address range.
> capitalize + add period:

Good catch, this was strangely inconsistent. These aren't complete sentences, so I've ended the first with a semi-colon instead of a period and won't capitalize them.

>> collecting all data matching an identifiable fingerprint (a combination of User Agent and other protocol information, say) and retaining logs until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution
> 
> ", say"??

Changed to "for example" as a more clear idiom. (Also, noted that this is the User-Agent header we're talking about, not a random capitalization of "user agent".)

The Editor's Draft has been updated to reflect these changes:
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html>

Thanks again; please let us know whether these changes/explanations resolve your concerns.
—Nick
Received on Wednesday, 16 December 2015 07:16:44 UTC