- From: CVS User jbrookma <cvsmail@w3.org>
- Date: Sat, 02 Feb 2013 20:06:15 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv5722
Added Files:
CambridgeBareBones.html
Log Message:
adding new file for review at Cambridge
--- /w3ccvs/WWW/2011/tracking-protection/drafts/CambridgeBareBones.html 2013/02/02 20:06:15 NONE
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/CambridgeBareBones.html 2013/02/02 20:06:15 1.1
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<title>Tracking Compliance and Scope</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script>
<script class="remove">
var respecConfig = {
specStatus: "ED",
shortName: "tracking-compliance",
previousPublishDate: "2012-05-23",
previousMaturity: "ED",
previousURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-20120523.html",
edDraftURI: "http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html",
editors: [
{ name: "Justin Brookman", url: "http://cdt.org/",
company: "CDT", companyURL: "http://cdt.org/" },
<!-- { name: "Sean Harvey", url: "http://google.com/", -->
<!-- company: "Google", companyURL: "http://google.com/" },
<!-- { name: "Erica Newland", url: "http://cdt.org/",
<!-- company: "CDT", companyURL: "http://cdt.org/" }, -->
{ name: "Heather West", url: "http://Google.com/",
company: "Google", companyURL: "http://google.com/" },
],
wg: "Tracking Protection Working Group",
wgURI: "http://www.w3.org/2011/tracking-protection/",
wgPublicList: "public-tracking",
wgPatentURI: "http://www.w3.org/2004/01/pp-impl/49311/status",
issueBase: "http://www.w3.org/2011/tracking-protection/track/issues/",
}
</script>
<link rel="stylesheet" href="additional.css" type="text/css" media="screen"
title="custom formatting for TPWG editors">
</head>
<body>
<section id="abstract">
<p>
This specification defines the meaning of a Do Not Track (DNT)
preference and sets out practices for websites to comply with this
preference.
</p>
</section>
<section id="sotd">
<p>
This document is a significantly streamlined version of the compliance
spec for discussion at the Cambridge face-to-face meeting of the
<a href="http://www.w3.org/2011/tracking-protection/">Tracking Protection
Working Group</a> on Feburary 11-13, 2013. This language reflects the editors
effort to simplify existing text and has not been formally adopted by the
Working Group. An
<a href="http://www.w3.org/2011/tracking-protection/track/issues/">issue
tracking system</a> is available for recording
<a href="http://www.w3.org/2011/tracking-protection/track/issues/raised">raised</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/open">open</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/pendingreview">pending review</a>,
<a href="http://www.w3.org/2011/tracking-protection/track/issues/closed">closed</a>,
and <a href="http://www.w3.org/2011/tracking-protection/track/issues/postponed">postponed</a>
issues regarding this document.
</p>
</section>
<section id="introduction">
<h2>Introduction</h2>
<p class="note">
The introduction will be re-worked after details of substantive text
is closer to being finalized.
</p>
<!--- <p>
The World Wide Web (WWW, or Web) consists of millions of sites
interconnected through the use of hypertext. Hypertext provides a
simple, page-oriented view of a wide variety of information that can be
traversed by selecting links, manipulating controls, and supplying data
via forms and search dialogs. A Web page is usually composed of many
different information sources beyond the initial resource request,
including embedded references to stylesheets, inline images,
javascript, and other elements that might be automatically requested as
part of the rendering or behavioral processing defined for that page.
</p>
<p>
Each of the hypertext actions and each of the embedded resource
references might refer to any site on the Web, leading to a seamless
interaction with the user even though the pages might be composed of
information requested from many different and possibly independent Web
sites. From the user's perspective, they are simply visiting and
interacting with a single brand -- the first-party Web property -- and
all of the technical details and protocol mechanisms that are used to
compose a page representing that brand are hidden behind the scenes.
</p>
<p>
It has become common for Web site owners to collect data regarding the
usage of their sites for a variety of purposes, including what led the
user to visit their site (referrals), how effective the user experience
is within the site (web analytics), and the nature of who is using
their site (audience segmentation). In some cases, the data collected
is used to dynamically adapt the content (personalization) or the
advertising presented to the user (targeted advertising). Data
collection can occur both at the first-party site and via third-party
providers through the insertion of tracking elements on each page. A
survey of these techniques and their privacy implications can be found
in [[KnowPrivacy]].
</p>
<p>
People have the right to know how data about them will be collected and
how it will be used. Empowered with that knowledge, individuals can
decide whether to allow their online activities to be tracked and data
about them to be collected. Many Internet companies use data gathered
about people's online activities to personalize content and target
advertising based on their perceived interests. While some people
appreciate this personalization of content and ads in certain contexts,
others are troubled by what they perceive as an invasion of their
privacy. For them, the benefit of personalization is not worth their
concerns about allowing entities with whom they have no direct
relationship to amass detailed profiles about their activities.
</p>
<p>
Therefore, users need a mechanism to express their own preference
regarding tracking that is both simple to configure and efficient when
implemented. In turn, Web sites that are unwilling or unable to offer
content without such targeted advertising or data collection need a
mechanism to indicate those requirements to the user and allow them (or
their user agent) to make an individual choice regarding user-granted
exceptions.
</p>
<p>
This specification defines the terminology of tracking preferences, the
scope of its applicability, and the requirements on compliant
first-party and third-party participants when an indication of tracking
preference is received. This specification defines the meaning of a Do
Not Track preference and sets out practices for websites and other
online companies to comply with this preference.
</p>
<p>
A companion document, [[!TRACKING-DNT]], defines the HTTP request
header field DNT for expressing a tracking preference on the Web, a
well-known location (URI) for providing a machine-readable tracking
status resource that describes a service's DNT compliance, the HTTP
response header field Tk for resources to communicate their compliance
or non-compliance with the user's expressed preference, and JavaScript
APIs for determining DNT status and requesting a site-specific,
user-granted exception.
</p> --->
</section>
<section id="scope-and-goals">
<h2>Scope and Goals</h2>
<p class="issue" data-number="6" title="What are the underlying concerns? Why are we doing this?">
This section will be re-worked after details of substantive text
is closer to being finalized.
</p>
<!--- <p>
While there are a variety of business models to monetize content on the
web, many rely on advertising. Advertisements can be targeted to a
particular user's interests based on information gathered about one's
online activity. While the Internet industry believes many users
appreciate such targeted advertising, as well as other personalized
content, there is also an understanding that some people find the
practice intrusive. If this opinion becomes widespread, it could
undermine the trust necessary to conduct business on the Internet. This
Compliance specification and a companion [[!TRACKING-DNT]]
specification are intended to give users a means to indicate their
tracking preference and to spell out the obligations of compliant
websites that receive the Do Not Track message. The goal is to provide
the user with choice, while allowing practices necessary for a smoothly
functioning Internet. This should be a win-win for business and
consumers alike. The Internet brings millions of users and web sites
together in a vibrant and rich ecosystem. As the sophistication of the
Internet has grown, so too has its complexity which leaves all but the
most technically savvy unable to deeply understand how web sites
collect and use data about their online interactions. While on the
surface many web sites may appear to be served by a single entity, in
fact, many web sites are an assembly of multiple parties coming
together to power a user's online experience. As an additional privacy
tool, this specification provides both the technical and compliance
guidelines to enable the online ecosystem to further empower users with
the ability to communicate a tracking preferences to a web site and its
partners.
</p>
<p>
The accompanying
<a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#bib-TRACKING-DNT">TRACKING-DNT</a>
recommendation explains how a user, through a user agent, can clearly
express a desire not to be tracked. This Tracking Compliance and Scope
recommendation sets the standard for the obligations of a website that
receives such a DNT message.
</p>
<p>
Taken together these two standards should have four substantial
outcomes:
</p>
<ol start="1">
<li>Empower users to manage their preference around the collection and
correlation of data about Internet activities that occur on different
sites and spell out the obligations of sites in honoring those
preferences when DNT is enabled.</li>
<li>Provide an exceedingly straightforward way for users to gain
transparency and control over data usage and the personalization of
content and advertising on the web.</li>
<li>Enable a vibrant Internet to continue to flourish economically by
supporting innovative business models while protecting users'
privacy.</li>
<li>Establish compliance metrics for operators of online services</li>
</ol>
<p>
This standard has limited applicability to any practices by first
parties, their service providers, subsidiaries, or affiliated
companies. Under the standard, first parties may and will continue to
collect and use data for tracking and other purposes. This standard is
primarily directed at third parties.
</p>
<p>
This solution is intended to be persistent, technology neutral, and
reversible by the user. It aims to preserve a vibrant online ecosystem,
privacy-preserving secondary data uses necessary to ecommerce, and
adequate security measures. We seek a solution that is persistent,
technology neutral, and [something that speaks with the ability to opt
back in], but that preserves a vibrant online ecosystem,
privacy-preserving secondary data uses, and adequate security measures.
</p> --->
</section>
<section id="definitions">
<h2>Definitions</h2>
<!--
<p class="note">The definitions section is a strawman proposal from editors
based on discussion in Seattle. Many sections are not yet consensus text.</p>
-->
<section id="def-user">
<h3>User</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft.</p>
-->
<p>
A user is an individual human. When user-agent software accesses
online resources, whether or not the user understands or has specific
knowledge of a particular request, that request is made "by" the
user.
</p>
</section>
<section id="def-user-agent">
<h3>User Agent</h3>
<!--
<p class="note">This definition is consensus or near-consensus text from the
pre-Seattle draft, but there may be some debate on the definition.</p>
-->
<p>
This specification uses the term user agent to refer to any of the
various client programs capable of initiating HTTP requests,
including but not limited to browsers, spiders (web-based robots),
command-line tools, native applications, and mobile apps [[!HTTP11]].
</p>
<p class="note">
There has been recent discussion about whether the specification
should differentiate among different types of users agents (such as
general purpose browsers, add-ons, and stand-alone software
programs), and possibly specify different compliance obligations
depending on the type of user agent, or priority among different
categories of user agents in the event of conflicting settings. There
is currently no open ISSUE associated with this discussion.
</p>
</section>
<section id="def-party">
<h3>Party</h3>
<!--
<p class="note">Dsinger has asked to add something about the responsibility
following the data</p>
-->
<!-- Justin, 2.1.13: The two definitions were so close that I just decided
to merge them. -->
<p>
A <dfn>party</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or
a person. For unique corporate entities to qualify as a common
party with respect to this document,those entities MUST be
commonly owned and commonly controlled and MUST
provide easy discoverability of affiliate organizations. An
list of affiliates MUST be provided within one click from each
page or the entity owner clearly identified within one click
from each page.
</p>
<!--- <p class="example">
A website with a clear labeled link to the Affiliate List within
the privacy policy would meet this requirement or the ownership
brand clearly labeled on the privacy policy itself and may choose
to act as a single party. --->
</p></section>
<!--
A <dfn>functional entity</dfn> is any commercial, nonprofit, or governmental
organization, a subsidiary or unit of such an organization, or a person.
<br/><br/>
Functional entities are <dfn>affiliated</dfn> when they are related by both
common majority ownership and common control.
<br/><br/>
A <dfn>party</dfn> is a set of functional entities that are affiliated.
<section>
<h2>Transparency</h2>
<p class="note">This section is at best out of place, and should be in the
compliance section, not definitions.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>
<h2>Affiliated Parties</h2>
<p class="note">I changed this text to reflect that it's a definition of
affiliated parties, but should retain the requirement that an affiliated party
must be discoverable in order to be considered affiliated under this
draft.</p>
<section>
<h2>Requirement</h2>
A <a>functional entity</a> must make its <a>affiliated</a> functional entities
easily discoverable by a user.
</section>
<section>
<h2>Non-Normative Discussion</h2>
<p class="informative">Affiliation may be made easily discoverable by
prominent and common branding by a functional entity of affiliation on its
webpages, within a privacy policy linked from its webpages, or a
machine-readable format in a well-known location.</p>
</section>
</section>
</section> --->
<section id="def-service-providers">
<h4>Service Providers/Outsourcers</h4>
<p class="note">
We do not expect outsourcing to be a major topic of discussion at the
Cambridge face-to-face, so this definition is suggested as a
placeholder. Some working group participants have argued for more
prescriptive rules to qualify as a service provider.
</p>
Outsourced service providers are considered to be the same party as their
clients if the outsourced service providers only act as data processors on
behalf of that party in relation to that party, silo the data so that it
cannot be accessed by other parties, and have no control over the use or
sharing of that data except as directed by that party.
<!--- Justin, 2.1.13: I could not just comment out three options, so I
deleted them entirely. However, we can find them in previous drafts if
necessary. --->
<p> </p>
<!-- <p class="note">Ensure that third party can act as a third party,
or as a first party within section</p>
<p class="note">hwest to propose an alternative definition of first
party (based on ownership? alternative to inference?) [recorded in
http://www.w3.org/2012/07/11-dnt-minutes.html#action01]</p>
-->
</section>
<section id="first-third-parties">
<h3>First and Third Parties</h3>
<section class="option" id="def-first-third-parties-opt-1">
<h4>Option 1: User Intention to Communicate</h4>
<p>
A <dfn>first party</dfn> is any <a>party</a>, in a specific
<a>network interaction</a>, that can infer with high probability
that the user knowingly and intentionally communicated with it.
Otherwise, a party is a third party.
</p>
<p>
A <dfn>third party</dfn> is any <a>party</a>, in a specific
<a>network interaction</a>, that cannot infer with high
probability that the user knowingly and intentionally
communicated with it.
</p>
<!--- <section class="informative">
<h2>Discussion</h2>
[1303 lines skipped]
Received on Saturday, 2 February 2013 20:06:17 UTC