WWW/2011/tracking-protection/drafts tracking-compliance.html,1.71,1.72 from Justin Brookman via cvs-syncmail on 2012-09-24 (public-tracking-commit@w3.org from September 2012)

From: Justin Brookman via cvs-syncmail <cvsmail@w3.org>
Date: Mon, 24 Sep 2012 03:11:51 +0000
To: public-tracking-commit@w3.org
Message-Id: <E1TFz5L-00035M-JO@lionel-hutz.w3.org>
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv11748

Modified Files:
	tracking-compliance.html 
Log Message:
Halfway thru Wainburg and other changes

Index: tracking-compliance.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -d -r1.71 -r1.72
--- tracking-compliance.html	14 Sep 2012 19:27:38 -0000	1.71
+++ tracking-compliance.html	24 Sep 2012 03:11:49 -0000	1.72
@@ -55,7 +55,9 @@
         <a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
         <a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>, and
         <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
-        issues regarding this document.
+        issues regarding this document.  Options included in this draft should not be read as limitations on
+		the potential outcome, but rather simply as possible options that are currently under consideration
+		by the working group.
       </p>
 </section>
 
@@ -83,7 +85,12 @@
   </p>
 	<p>While there are a variety of business models to monetize content on the web, many rely on advertising. Advertisements can be targeted to a particular user's interests based on information gathered about one's online activity. While the Internet industry believes many users appreciate such targeted advertising, as well as other personalized content, there is also an understanding that some people find the practice intrusive. If this opinion becomes widespread, it could undermine the trust necessary to conduct business on the Internet. This Compliance specification and a companion [[!TRACKING-DNT]] specification are intended to give users a means to indicate their tracking preference and to spell out the obligations of compliant websites that receive the Do Not Track message. The goal is to provide the user with choice, while allowing practices necessary for a smoothly functioning Internet. This should be a win-win for business and consumers alike. The Internet brings millions of users and web sites togeher in a vibrant and rich ecosystem. As the sophistication of the Internet has grown, so too has its complexity which leaves all but the most technically savvy unable to deeply understand how web sites collect and use data about their online interactions. While on the surface many web sites may appear to be served by a single entity, in fact, many web sites are an assembly of multiple parties coming together to power a user's online experience. As an additional privacy tool, this specification provides both the technical and compliance guidelines to enable the online ecosystem to further empower users with the ability to communicate a tracking preferences to a web site and its partners.</p>
 	<p>The accompanying <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a> recommendation explains how a user, through a user agent, can clearly express a desire not to be tracked. This Tracking Compliance and Scope recommendation sets the standard for the obligations of a website that receives such a DNT message.</p>
-	<p>Taken together these two standards should have four substantial outcomes:</p><ol start="1"><li>Empower users  to manage their preference around the collection and correlation of data about Internet activities that occur on different sites and spell out the obligations of sites in honoring those preferences when DNT is enabled.</li><li>Provide an exceedingly straightforward way for users to gain transparency and control over data usage and the personalization of content and advertising on the web.</li><li>Enable a vibrant Internet to continue to flourish economically by supporting innovative business models while protecting users' privacy.</li><li>Establish compliance metrics for operators of online services</li></ol><p>This solution is intended to be persistent, technology neutral, and reversible by the user. It aims to preserve a vibrant online ecosystem, privacy-preserving secondary data uses necessary to ecommerce, and adequate security measures. We seek a solution that is persistent, technology neural, and [something that speaks with the ability to opt back in], but that preserves a vibrant online ecosystem, privacy-preserving secondary data uses, and adequate security measures.</p>
+	<p>Taken together these two standards should have four substantial outcomes:</p><ol start="1"><li>Empower users  to manage their preference around the collection and correlation of data about Internet activities that occur on different sites and spell out the obligations of sites in honoring those preferences when DNT is enabled.</li><li>Provide an exceedingly straightforward way for users to gain transparency and control over data usage and the personalization of content and advertising on the web.</li><li>Enable a vibrant Internet to continue to flourish economically by supporting innovative business models while protecting users' privacy.</li><li>Establish compliance metrics for operators of online services</li></ol>
+<p>This standard has limited applicability to any practices by first parties, their service providers,
+subsidiaries, or affiliated companies. Under the standard, first parties may and will continue to collect
+and use data for tracking and other purposes. This standard is primarily directed at third parties.</p>
+
+<p>This solution is intended to be persistent, technology neutral, and reversible by the user. It aims to preserve a vibrant online ecosystem, privacy-preserving secondary data uses necessary to ecommerce, and adequate security measures. We seek a solution that is persistent, technology neutral, and [something that speaks with the ability to opt back in], but that preserves a vibrant online ecosystem, privacy-preserving secondary data uses, and adequate security measures.</p>
 </section>
 
 <section id="definitions">
@@ -108,6 +115,12 @@
 -->
 
 <p>This specification uses the term user agent to refer to any of the various client programs capable of initiating HTTP requests, including but not limited to browsers, spiders (web-based robots), command-line tools, native applications, and mobile apps [[!HTTP11]].</p>
+
+<p class=note>The has been recent discussion about whether the specification should differentiate among different
+types of users agents (such as general purpose browsers, add-ons, and stand-alone software programs), and
+possibly specify different compliance obligations depending on the type of user agent, or priority among different
+categories of user agents in the event of conflicting settings.</br></br>There is currently no open ISSUE associated with
+this discussion.</p>
 </section>
 
 	<section id="def-party">
@@ -567,14 +580,6 @@
 		<p class="informative">Non-normative explanatory text: Determination of a party's status is limited to a single interaction because a party's status may be affected by time, context, or any other factor that influences user expectations.</p>
 	</section>
 
-	<section id="def-transactional-data">
-	<h3>Transactional data</h3>
-<!--
-		<p class="note">This definition is consensus or near-consensus text from the pre-Seattle draft. However, it is unclear that it is necessary to the document.</p>
--->
-		<p>Transactional data is information about the user's interactions with various websites, services, or widgets which could be used to create a record of a user's system information, online communications, transactions and other activities, including websites visited, pages and ads viewed, purchases made, etc.</p>
-	</section>
-
 	<section id="def-collection">
 	<h3>Data collection, retention, use, and sharing</h3>
 		<p class="note">We have not had time to substantially edit the definitions of collection and tracking. These continue to be actively debated issues, as the resolution of the use of unique identifiers is likely to end up in these definitions.</p>
@@ -657,11 +662,17 @@
 <p>A user agent MUST offer a control to express a tracking preference to third parties.  The control MUST communicate the user's preference in accordance with the [[!TRACKING-DNT]] recommendation and otherwise comply with that recommendation.  A user agent MUST NOT express a tracking preference for a user unless the user has given express and informed consent to indicate a tracking preference.</p>
 <p>We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent's configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., "Privacy settings: high"). Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.</p>
 <p class="option">Shane's proposal has suggested the additional compliance requirements of user agents:<br />1. The User Agent must also make available via a link in explanatory text where DNT is enabled to provide more detailed information about DNT functionality<br />2. Any User Agent claiming compliance must have a functional implementation of the browser exceptions in this specification</p>
+
+<p class="issue" data-number="150" title="DNT conflicts from multiple user agents"></p>
+<p class=issue data-number=153 title="What are the implications on software that changes requests but does not necessarily initiate them?"</p>
+
 </section>
 
 <section id="third-party-compliance">
 <h3>Third Party Compliance</h3>
-<p class="note">We will be using this language as one of three or more options to evaluate for third party compliance.</p>
+<p class="note">We will be using this language as one of three or more options to evaluate for third party compliance.
+This section addresses the crux of what DNT is intended to accomplish, and as such, all of this section remains
+hotly debated.</p>
 
 <p>If the operator of a third-party domain receives a communication to which a DNT:1 header is attached:</p>
 <ol start="1"><li>that operator must not collect, share, or use information related to that communication outside of the permitted uses as defined within this standard and any explicitly-granted exceptions, provided in accordance with the requirements of this standard;</li><li>that operator must not use information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard;</li><li>that operator may delete information about previous communications in which the operator was a third party, outside of the explicitly expressed permitted uses as defined within this standard.</li></ol>
@@ -753,9 +764,7 @@
 <h5>Security and Fraud Prevention</h5>
 <p>Regardless of DNT signal, information may be collected, retained and used for detecting security risks and fraudulent activity, defending from attacks and fraud, and maintaining integrity of the service.  This includes data reasonably necessary for enabling authentication/verification, detecting hostile transactions and attacks, providing fraud prevention, and maintaining system integrity. In this example specifically, this information may be used to alter the user's experience in order to reasonably keep a service secure or prevent fraud.</p>
 
-<!-- Someone credited this to me (Heather) and it's definitely not from me, so I'm removing it until we have a proposal there
 <p class="note">In Seattle, we discussed a compromise"graduated response" approach that allows third parties to retain data for a short period if no problems are apparent, and to use/retain longer only if there is reason to believe there is a problem.</p>
--->
 
 <section class="informative" id="security-example"><h6>Examples</h6>
 <p class="note">Add examples with and without outsourced parties (J- not sure what this means)</p></section>
@@ -765,7 +774,6 @@
 <h5>Debugging</h5>
 
 <p>Regardless of DNT signal, information may be collected, retained and used for identifying and repairing errors that impair existing intended functionality.</p>
-<p class="note">In Seattle, we discussed a compromise"graduated response" approach that allows third parties to retain data for a short period if no problems are apparent, and to use/retain longer only if there is reason to believe there is a problem.</p>
 
 <section class="informative" id="debugging-discussion"><h6>Discussion</h6>
 <p>Detailed information is often necessary to replicate a specific user's experience to understand why their particular set of variables is resulting in a failure of expected functionality or presentation.  These variables could include items such as cookie IDs, page URLs, device or UA details, content specifics, and activity/event specifics to narrow in on the cause of the discrepancy.</p></section>
Received on Monday, 24 September 2012 03:11:52 UTC