- From: CVS User npdoty <cvsmail@w3.org>
- Date: Wed, 24 Apr 2013 05:07:39 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv15338
Modified Files:
tracking-compliance.html
Log Message:
edits to tlr's feedback
--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/04/17 14:16:25 1.92
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/04/24 05:07:39 1.93
@@ -64,85 +64,10 @@
<section id="introduction">
<h2>Introduction</h2>
-
<p class="note">
The introduction will be re-worked after details of substantive text
is closer to being finalized.
</p>
- <!-- <p>
- The World Wide Web (WWW, or Web) consists of millions of sites
- interconnected through the use of hypertext. Hypertext provides a
- simple, page-oriented view of a wide variety of information that can be
- traversed by selecting links, manipulating controls, and supplying data
- via forms and search dialogs. A Web page is usually composed of many
- different information sources beyond the initial resource request,
- including embedded references to stylesheets, inline images,
- javascript, and other elements that might be automatically requested as
- part of the rendering or behavioral processing defined for that page.
- </p>
- <p>
- Each of the hypertext actions and each of the embedded resource
- references might refer to any site on the Web, leading to a seamless
- interaction with the user even though the pages might be composed of
- information requested from many different and possibly independent Web
- sites. From the user's perspective, they are simply visiting and
- interacting with a single brand — the first-party Web property — and
- all of the technical details and protocol mechanisms that are used to
- compose a page representing that brand are hidden behind the scenes.
- </p>
- <p>
- It has become common for Web site owners to collect data regarding the
- usage of their sites for a variety of purposes, including what led the
- user to visit their site (referrals), how effective the user experience
- is within the site (web analytics), and the nature of who is using
- their site (audience segmentation). In some cases, the data collected
- is used to dynamically adapt the content (personalization) or the
- advertising presented to the user (targeted advertising). Data
- collection can occur both at the first-party site and via third-party
- providers through the insertion of tracking elements on each page. A
- survey of these techniques and their privacy implications can be found
- in [[KnowPrivacy]].
- </p>
- <p>
- People have the right to know how data about them will be collected and
- how it will be used. Empowered with that knowledge, individuals can
- decide whether to allow their online activities to be tracked and data
- about them to be collected. Many Internet companies use data gathered
- about people's online activities to personalize content and target
- advertising based on their perceived interests. While some people
- appreciate this personalization of content and ads in certain contexts,
- others are troubled by what they perceive as an invasion of their
- privacy. For them, the benefit of personalization is not worth their
- concerns about allowing entities with whom they have no direct
- relationship to amass detailed profiles about their activities.
- </p>
- <p>
- Therefore, users need a mechanism to express their own preference
- regarding tracking that is both simple to configure and efficient when
- implemented. In turn, Web sites that are unwilling or unable to offer
- content without such targeted advertising or data collection need a
- mechanism to indicate those requirements to the user and allow them (or
- their user agent) to make an individual choice regarding user-granted
- exceptions.
- </p>
- <p>
- This specification defines the terminology of tracking preferences, the
- scope of its applicability, and the requirements on compliant
- first-party and third-party participants when an indication of tracking
- preference is received. This specification defines the meaning of a Do
- Not Track preference and sets out practices for websites and other
- online companies to comply with this preference.
- </p>
- <p>
- A companion document, [[!TRACKING-DNT]], defines the HTTP request
- header field DNT for expressing a tracking preference on the Web, a
- well-known location (URI) for providing a machine-readable tracking
- status resource that describes a service's DNT compliance, the HTTP
- response header field Tk for resources to communicate their compliance
- or non-compliance with the user's expressed preference, and JavaScript
- APIs for determining DNT status and requesting a site-specific,
- user-granted exception.
- </p> -->
</section>
<section id="scope-and-goals">
@@ -156,94 +81,12 @@
such that it can be attributed to a specific user, user agent, or device.</p>
<p class="note">The scope language is not at consensus, but is an effort by
the editors to offer a provisional definition of tracking.</p>
- <!-- <p>
- While there are a variety of business models to monetize content on the
- web, many rely on advertising. Advertisements can be targeted to a
- particular user's interests based on information gathered about one's
- online activity. While the Internet industry believes many users
- appreciate such targeted advertising, as well as other personalized
- content, there is also an understanding that some people find the
- practice intrusive. If this opinion becomes widespread, it could
- undermine the trust necessary to conduct business on the Internet. This
- Compliance specification and a companion [[!TRACKING-DNT]]
- specification are intended to give users a means to indicate their
- tracking preference and to spell out the obligations of compliant
- websites that receive the Do Not Track message. The goal is to provide
- the user with choice, while allowing practices necessary for a smoothly
- functioning Internet. This should be a win-win for business and
- consumers alike. The Internet brings millions of users and web sites
- together in a vibrant and rich ecosystem. As the sophistication of the
- Internet has grown, so too has its complexity which leaves all but the
- most technically savvy unable to deeply understand how web sites
- collect and use data about their online interactions. While on the
- surface many web sites may appear to be served by a single entity, in
- fact, many web sites are an assembly of multiple parties coming
- together to power a user's online experience. As an additional privacy
- tool, this specification provides both the technical and compliance
- guidelines to enable the online ecosystem to further empower users with
- the ability to communicate a tracking preferences to a web site and its
- partners.
- </p>
- <p>
- The accompanying
- <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a>
- recommendation explains how a user, through a user agent, can clearly
- express a desire not to be tracked. This Tracking Compliance and Scope
- recommendation sets the standard for the obligations of a website that
- receives such a DNT message.
- </p>
- <p>
- Taken together these two standards should have four substantial
- outcomes:
- </p>
- <ol start="1">
- <li>Empower users to manage their preference around the collection and
- correlation of data about Internet activities that occur on different
- sites and spell out the obligations of sites in honoring those
- preferences when DNT is enabled.</li>
-
- <li>Provide an exceedingly straightforward way for users to gain
- transparency and control over data usage and the personalization of
- content and advertising on the web.</li>
-
- <li>Enable a vibrant Internet to continue to flourish economically by
- supporting innovative business models while protecting users'
- privacy.</li>
-
- <li>Establish compliance metrics for operators of online services</li>
- </ol>
- <p>
- This standard has limited applicability to any practices by first
- parties, their service providers, subsidiaries, or affiliated
- companies. Under the standard, first parties may and will continue to
- collect and use data for tracking and other purposes. This standard is
- primarily directed at third parties.
- </p>
- <p>
- This solution is intended to be persistent, technology neutral, and
- reversible by the user. It aims to preserve a vibrant online ecosystem,
- privacy-preserving secondary data uses necessary to ecommerce, and
- adequate security measures. We seek a solution that is persistent,
- technology neutral, and [something that speaks with the ability to opt
- back in], but that preserves a vibrant online ecosystem,
- privacy-preserving secondary data uses, and adequate security measures.
- </p> -->
</section>
<section id="definitions">
<h2>Definitions</h2>
-<!--
-<p class="note">The definitions section is a strawman proposal from editors
-based on discussion in Seattle. Many sections are not yet consensus text.</p>
--->
-
<section id="def-user">
<h3>User</h3>
-<!--
-<p class="note">This definition is consensus or near-consensus text from the
-pre-Seattle draft.</p>
--->
-
<p>
A <dfn>user</dfn> is an individual human. When user-agent software accesses
online resources, whether or not the user understands or has specific
@@ -254,37 +97,16 @@
<section id="def-user-agent">
<h3>User Agent</h3>
-<!--
-<p class="note">This definition is consensus or near-consensus text from the
-pre-Seattle draft, but there may be some debate on the definition.</p>
--->
-
<p>
This specification uses the term <dfn>user agent</dfn> to refer to any of the
various client programs capable of initiating HTTP requests,
including but not limited to browsers, spiders (web-based robots),
command-line tools, native applications, and mobile apps [[!HTTP11]].
</p>
- <p class="note">
- There has been discussion about whether the specification
- should differentiate among different types of users agents (such as
- general purpose browsers, add-ons, and stand-alone software
- programs), and possibly specify different compliance obligations
- depending on the type of user agent, or priority among different
- categories of user agents in the event of conflicting settings. There
- is currently no open ISSUE associated with this discussion.
- </p>
</section>
<section id="def-party">
<h3>Party</h3>
-<!--
-<p class="note">Dsinger has asked to add something about the responsibility
-following the data</p>
--->
- <!-- Justin, 2.1.13: The two definitions were so close that I just decided
- to merge them. -->
-
<p>
A <dfn>party</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or
@@ -296,62 +118,11 @@
page or the entity owner clearly identified within one click
from each page.
</p>
- <!-- <p class="example">
- A website with a clear labeled link to the Affiliate List within
- the privacy policy would meet this requirement or the ownership
- brand clearly labeled on the privacy policy itself and may choose
- to act as a single party. -->
- </p></section>
-
-<!--
-A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental
-organization, a subsidiary or unit of such an organization, or a person.
-<br/><br/>
-Functional entities are <dfn>affiliated</dfn> when they are related by both
-common majority ownership and common control.
-<br/><br/>
-A <dfn>party</dfn> is a set of functional entities that are affiliated.
-
-<section>
-<h2>Transparency</h2>
-<p class="note">This section is at best out of place, and should be in the
-compliance section, not definitions.</p>
-<section>
-<h2>Requirement</h2>
-A <a>functional entity</a> must make its <a>affiliated</a> functional entities
-easily discoverable by a user.
-</section>
-<section>
-<h2>Non-Normative Discussion</h2>
-<p class="informative">Affiliation may be made easily discoverable by
-prominent and common branding by a functional entity of affiliation on its
-webpages, within a privacy policy linked from its webpages, or a
-machine-readable format in a well-known location.</p>
-
-<h2>Affiliated Parties</h2>
-<p class="note">I changed this text to reflect that it's a definition of
-affiliated parties, but should retain the requirement that an affiliated party
-must be discoverable in order to be considered affiliated under this
-draft.</p>
-<section>
-<h2>Requirement</h2>
-A <a>functional entity</a> must make its <a>affiliated</a> functional entities
-easily discoverable by a user.
-</section>
-<section>
-<h2>Non-Normative Discussion</h2>
-<p class="informative">Affiliation may be made easily discoverable by
-prominent and common branding by a functional entity of affiliation on its
-webpages, within a privacy policy linked from its webpages, or a
-machine-readable format in a well-known location.</p>
-</section>
-</section>
-
- </section> -->
+ </section>
<section id="def-service-providers">
<h4>Service Providers</h4>
- <p class=option>
+ <p class="option">
Outsourced <dfn>service providers</dfn> are considered to be the same party as their
clients if the outsourced service providers only act as data processors on
behalf of that party in relation to that party, silo the data so that it
@@ -359,35 +130,19 @@
sharing of that data except as directed by that party.
</p>
- <p class=option>Outsourced <dfn>service providers</dfn> are considered to be the same
- party as their clients if the service provider<br><br>
- 1. acts only as a data processor on behalf of the client;<br><br>
- 2. ensures that the data can only be accessed and used as directed by that client;<br><br>
- 3. has not independent right to use or share the data except as necessary to ensure the
- integrity, security, and correct operation of the service being provided; and<br><br>
- 4. has a contract in place that outlines and mandates these requirements.</p>
-
- <p class="note">
- The working group is continuing to fine tune the defintion of service
- provider. Neither option above is at consensus.
- </p>
+ <p class="option">
+ Outsourced <dfn>service providers</dfn> are considered to be the same
+ party as their clients if the service provider<br><br>
+ 1. acts only as a data processor on behalf of the client;<br><br>
+ 2. ensures that the data can only be accessed and used as directed by that client;<br><br>
+ 3. has not independent right to use or share the data except as necessary to ensure the
+ integrity, security, and correct operation of the service being provided; and<br><br>
+ 4. has a contract in place that outlines and mandates these requirements.
+ </p>
- <p class=issue data-number=49 title="Third party as first party -- is a
+ <p class="issue" data-number="49" title="Third party as first party -- is a
third party that collects data on behalf of a first party treated the
same way as the first party"></p>
-
- <!--- Justin, 2.1.13: I could not just comment out three options, so I
- deleted them entirely. However, we can find them in previous drafts if
- necessary. -->
-
- <p> </p>
-<!-- <p class="note">Ensure that third party can act as a third party,
- or as a first party within section</p>
- <p class="note">hwest to propose an alternative definition of first
- party (based on ownership? alternative to inference?) [recorded in
- http://www.w3.org/2012/07/11-dnt-minutes.html#action01]</p>
--->
-
</section>
<section id="first-party">
@@ -414,14 +169,10 @@
functionality on the resource with which a user reasonably would expect to
interact by accessing the resource. Simple branding of a party, without more,
will not be sufficient to make that party a first party in any particular
- network interaction.</p>
-
- <p class="note">The language on multiple first parties is not yet at consensus.</p>
+ network interaction.</p>
</section>
- <p class=issue data-number=10 title="What is a first party?"></p>
-
-
+ <p class="issue" data-number="10" title="What is a first party?"></p>
</section>
<section id="third-party">
@@ -430,268 +181,10 @@
<p>In a specific network interaction, any entity that is not the user,
user agent, or a first party is considered a <dfn>third party</dfn>.</p></section>
- <!--- <section class="option" id="def-first-third-parties-opt-1">
- <h4>Option 1: User Intention to Communicate</h4>
-
-
-
- <p>
- A <dfn>first party</dfn> is any <a>party</a>, in a specific
- <a>network interaction</a>, that can infer with high probability
- that the user knowingly and intentionally communicated with it.
- Otherwise, a party is a third party.
- </p>
- <p>
- A <dfn>third party</dfn> is any <a>party</a>, in a specific
- <a>network interaction</a>, that cannot infer with high
- probability that the user knowingly and intentionally
- communicated with it.
- </p> --->
-
-
- <!--- <section class="informative">
- <h2>Discussion</h2>
-
- <section>
- <h2>Overview</h2>
-
- <p>
- We draw a distinction between those parties an ordinary user
- would or would not expect to share information with, "first
- parties" and "third parties" respectively. The delineation
- exists for three reasons.
- </p>
- <p>
- First, when a user expects to share information with a party,
- she can often exercise control over the information flow. Take,
- for example, Example Social, a popular social network. The user
- may decide she does not like Example Social's privacy or
- security practices, so she does not visit examplesocial.com.
- But if Example Social provides a social sharing widget embedded
- in another website, the user may be unaware she is giving
- information to Example Social and unable to exercise control
- over the information flow.
- </p>
- <p>
- Second, we recognize that market pressures are an important
- factor in encouraging good privacy and security practices. If
- users do not expect that they will share information with an
- organization, it is unlikely to experience market pressure from
[1279 lines skipped]
Received on Wednesday, 24 April 2013 05:07:41 UTC