- From: CVS User npdoty <cvsmail@w3.org>
- Date: Mon, 29 Dec 2014 21:35:55 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts In directory gil:/tmp/cvs-serv5652 Modified Files: tracking-compliance.html Log Message: html tidy and cleanup; no content changes --- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2014/12/10 06:18:47 1.135 +++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2014/12/29 21:35:55 1.136 @@ -2,10 +2,12 @@ <html lang="en" dir="ltr"> <head> <title>Tracking Compliance and Scope</title> - <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> - <script src='http://www.w3.org/Tools/respec/respec-w3c-common' class='remove' async></script> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> + <script src="http://www.w3.org/Tools/respec/respec-w3c-common" class="remove" + async=""> + </script> <script class="remove"> - var respecConfig = { + var respecConfig = { specStatus: "ED", shortName: "tracking-compliance", previousMaturity: "WD", @@ -51,538 +53,750 @@ } </style> </head> + <body> <section id="abstract"> - <p> - This recommendation defines a set of practices for compliance with a user's - Do Not Track (DNT) tracking preference to which a server may claim adherence. - </p> + <p>This recommendation defines a set of practices for compliance with a + user's Do Not Track (DNT) tracking preference to which a server may claim + adherence.</p> </section> + <section id="sotd"> - <p> - <strong>This editor's draft does not constitute consensus and may change frequently.</strong> Reviewers are advised to consult the <a href="https://www.w3.org/2011/tracking-protection/track/products/5">list of issues tracked in the Compliance Current product</a> and the <a href="http://www.w3.org/wiki/Privacy/TPWG#Change_proposals">wiki list of change proposals</a> developed by participants in the Working Group. The Working Group has published a Last Call Working Draft of the companion <a href="http://www.w3.org/TR/tracking-dnt/">Tracking Preference Expression</a> document; a more stable snapshot of this document <a href="http://www.w3.org/TR/tracking-compliance/">has been published as a Working Draft</a>. - </p> + <p><strong>This editor's draft does not constitute consensus and may change + frequently.</strong> Reviewers are advised to consult the <a href= + "https://www.w3.org/2011/tracking-protection/track/products/5">list of + issues tracked in the Compliance Current product</a> and the <a href= + "http://www.w3.org/wiki/Privacy/TPWG#Change_proposals">wiki list of change + proposals</a> developed by participants in the Working Group. The Working + Group has published a Last Call Working Draft of the companion <a href= + "http://www.w3.org/TR/tracking-dnt/">Tracking Preference Expression</a> + document; a more stable snapshot of this document <a href= + "http://www.w3.org/TR/tracking-compliance/">has been published as a Working + Draft</a>.</p> </section> + <section id="scope-and-goals"> <h2>Scope</h2> - <p> - Do Not Track is designed to provide users with a simple mechanism - to express a preference to allow or limit online <a>tracking</a>. - Complying with the user's preference as described in this document - includes limits on the collection, retention and use of data collected - as a <a>third party</a> to <a title="user action">user actions</a>. - </p> - <p> - This recommendation is intended for compliance with expressed user preferences - via <a title="user agent">user agents</a> that (1) can access the general browsable Web; (2) have a user interface that - satisfies the requirements in <a href="http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining">Determining User Preference</a> in the [[!TRACKING-DNT]] specification; (3) and can implement all of the [[!TRACKING-DNT]] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism. - </p> - <p class="issue" data-number="209" title="Description of scope of specification"></p> + + <p>Do Not Track is designed to provide users with a simple mechanism to + express a preference to allow or limit online <a>tracking</a>. Complying + with the user's preference as described in this document includes limits on + the collection, retention and use of data collected as a <a>third party</a> + to <a title="user action">user actions</a>.</p> + + <p>This recommendation is intended for compliance with expressed user + preferences via <a title="user agent">user agents</a> that (1) can access + the general browsable Web; (2) have a user interface that satisfies the + requirements in <a href= + "http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining"> + Determining User Preference</a> in the [[!TRACKING-DNT]] specification; (3) + and can implement all of the [[!TRACKING-DNT]] specification, including the + mechanisms for communicating a tracking status, and the user-granted + exception mechanism.</p> + + <p class="issue" data-number="209" title= + "Description of scope of specification"></p> </section> <section id="definitions"> <h2>Definitions</h2> - - <section id="user"> - <h3>User</h3> - <p> - A <dfn>user</dfn> is an individual human. When user agent software - accesses online resources, whether or not the user understands or has - specific knowledge of a particular request, that request is "made by - the user." - </p></section> - - <section id="user-agent"> + + <section id="user"> + <h3>User</h3> + + <p>A <dfn>user</dfn> is an individual human. When user agent software + accesses online resources, whether or not the user understands or has + specific knowledge of a particular request, that request is "made by the + user."</p> + </section> + + <section id="user-agent"> <h3>User Agent</h3> - <p> - The term <dfn>user agent</dfn> refers to any of the - various client programs capable of initiating HTTP requests, - including but not limited to browsers, spiders (web-based robots), - command-line tools, native applications, and mobile apps [[!RFC7230]]. - </p> - <p class="issue" data-number="227" title="User Agent requirements in UA Compliance vs. Scope section"> - There is a proposal to move a sentence about user agents from the Introduction/Scope section to this section. We might also include a reference here to the conformance requirements on user agents in the companion TPE recommendation. - </p> - </section> - - <section id="network-interaction"> + + <p>The term <dfn>user agent</dfn> refers to any of the various client + programs capable of initiating HTTP requests, including but not limited + to browsers, spiders (web-based robots), command-line tools, native + applications, and mobile apps [[!RFC7230]].</p> + + <p class="issue" data-number="227" title= + "User Agent requirements in UA Compliance vs. Scope section">There is a + proposal to move a sentence about user agents from the Introduction/Scope + section to this section. We might also include a reference here to the + conformance requirements on user agents in the companion TPE + recommendation.</p> + </section> + + <section id="network-interaction"> <h3>Network Interaction</h3> - <p> - A <dfn>network interaction</dfn> is a single HTTP request and its - corresponding response(s): zero or more interim (1xx) responses and - a single final (2xx-5xx) response. - </p></section> - - <section id="user-action"> + + <p>A <dfn>network interaction</dfn> is a single HTTP request and its + corresponding response(s): zero or more interim (1xx) responses and a + single final (2xx-5xx) response.</p> + </section> + + <section id="user-action"> <h3>User Action</h3> - <p> - A <dfn>user action</dfn> is a deliberate action by the user, via - configuration, invocation, or selection, to initiate a network - interaction. Selection of a link, submission of a form, and reloading - a page are examples of user actions. - </p></section> - - <section id="subrequest"> - <h3>Subrequest</h3> - <p> - A <dfn>subrequest</dfn> is any network interaction that is not directly - initiated by user action. For example, an initial response in a hypermedia - format that contains embedded references to stylesheets, images, frame - sources, and onload actions will cause a browser, depending on its - capabilities and configuration, to perform a corresponding set of automated - subrequests to fetch those references using additional network interactions. - </p></section> - - <section id="party"> + + <p>A <dfn>user action</dfn> is a deliberate action by the user, via + configuration, invocation, or selection, to initiate a network + interaction. Selection of a link, submission of a form, and reloading a + page are examples of user actions.</p> + </section> + + <section id="subrequest"> + <h3>Subrequest</h3> + + <p>A <dfn>subrequest</dfn> is any network interaction that is not + directly initiated by user action. For example, an initial response in a + hypermedia format that contains embedded references to stylesheets, + images, frame sources, and onload actions will cause a browser, depending + on its capabilities and configuration, to perform a corresponding set of + automated subrequests to fetch those references using additional network + interactions.</p> + </section> + + <section id="party"> <h3>Party</h3> - <p> - A <dfn>party</dfn> is a natural person, a legal entity, or a set - of legal entities that share common owner(s), common controller(s), - and a group identity that is easily discoverable by a user. Common - branding or providing a list of affiliates that is available via a - link from a resource where a party describes DNT practices are examples - of ways to provide this discoverability. - </p></section> - - <section id="service-provider"> + + <p>A <dfn>party</dfn> is a natural person, a legal entity, or a set of + legal entities that share common owner(s), common controller(s), and a + group identity that is easily discoverable by a user. Common branding or + providing a list of affiliates that is available via a link from a + resource where a party describes DNT practices are examples of ways to + provide this discoverability.</p> + </section> + + <section id="service-provider"> <h3>Service Provider</h3> - <p> - Access to Web resources often involves multiple parties that might process the data received in a network interaction. For example, domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers might be a party to a given network interaction because they are contracted by either the user or the resource owner to provide the mechanisms for communication. Likewise, additional parties might be engaged after a network interaction, such as when services or contractors are used to perform specialized data analysis or records retention. - </p> - <p> - For the data received in a given network interaction, a <dfn>service provider</dfn> is considered to be the same party as its <dfn>contractee</dfn> if the service provider: - </p> + + <p>Access to Web resources often involves multiple parties that might + process the data received in a network interaction. For example, domain + name services, network access points, content distribution networks, load + balancing services, security filters, cloud platforms, and + software-as-a-service providers might be a party to a given network + interaction because they are contracted by either the user or the + resource owner to provide the mechanisms for communication. Likewise, + additional parties might be engaged after a network interaction, such as + when services or contractors are used to perform specialized data + analysis or records retention.</p> + + <p>For the data received in a given network interaction, a <dfn>service + provider</dfn> is considered to be the same party as its + <dfn>contractee</dfn> if the service provider:</p> + <ol> <li>processes the data on behalf of the contractee;</li> - <li>ensures that the data is only retained, accessed, and used as directed by the contractee;</li> - <li>has no independent right to use the data other than in a <a>permanently deidentified</a> form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,</li> - <li>has a contract in place with the contractee which is consistent with the above limitations.</li> + + <li>ensures that the data is only retained, accessed, and used as + directed by the contractee;</li> + + <li>has no independent right to use the data other than in a + <a>permanently deidentified</a> form (e.g., for monitoring service + integrity, load balancing, capacity planning, or billing); and, + </li> + + <li>has a contract in place with the contractee which is consistent + with the above limitations.</li> </ol> - </section> - - <section id="first-party"> + </section> + + <section id="first-party"> <h3>First Party</h3> - <p> - With respect to a given user action, a <dfn>first party</dfn> - is a party with which the user intends to interact, via one or more - network interactions, as a result of making that action. Merely - hovering over, muting, pausing, or closing a given piece of content - does not constitute a user's intent to interact with another party. - </p> - <p> - In some cases, a resource on the Web will be jointly controlled by - two or more distinct parties. Each of those parties is considered a - first party if a user would reasonably expect to communicate with - all of them when accessing that resource. For example, prominent - co-branding on the resource might lead a user to expect that - multiple parties are responsible for the content or functionality. - </p> - <p> - Network interactions and subrequests related to a given user action may not constitute intentional interaction when, for example, the user is unaware or only transiently informed of redirection or framed content. - </p> - </section> - - <section id="third-party"> - <h3>Third Party</h3> - <p> - For any data collected as a result of one or more network interactions - resulting from a user's action, a <dfn>third party</dfn> is any party - other than that user, a first party for that user action, or a service - provider acting on behalf of either that user or that first party. - </p></section> - - <section id="deidentified"> - <h3>Deidentification</h3> - <p> - Data is <dfn>permanently deidentified</dfn> when there exists a high level of confidence that no human subject of the data can be identified, directly or indirectly (e.g., via association with an identifier, user agent, or device), by that data alone or in combination with other retained or available information. - </p> - <section id="deidentified-considerations" class="informative"> + + <p>With respect to a given user action, a <dfn>first party</dfn> is a + party with which the user intends to interact, via one or more network + interactions, as a result of making that action. Merely hovering over, + muting, pausing, or closing a given piece of content does not constitute + a user's intent to interact with another party.</p> + + <p>In some cases, a resource on the Web will be jointly controlled by two + or more distinct parties. Each of those parties is considered a first + party if a user would reasonably expect to communicate with all of them + when accessing that resource. For example, prominent co-branding on the + resource might lead a user to expect that multiple parties are + responsible for the content or functionality.</p> + + <p>Network interactions and subrequests related to a given user action + may not constitute intentional interaction when, for example, the user is + unaware or only transiently informed of redirection or framed + content.</p> + </section> + + <section id="third-party"> + <h3>Third Party</h3> + + <p>For any data collected as a result of one or more network interactions + resulting from a user's action, a <dfn>third party</dfn> is any party + other than that user, a first party for that user action, or a service + provider acting on behalf of either that user or that first party.</p> + </section> + + <section id="deidentified"> + <h3>Deidentification</h3> + + <p>Data is <dfn>permanently deidentified</dfn> when there exists a high + level of confidence that no human subject of the data can be identified, + directly or indirectly (e.g., via association with an identifier, user + agent, or device), by that data alone or in combination with other + retained or available information.</p> + + <section id="deidentified-considerations" class="informative"> <h4>Deidentification Considerations</h4> - <p> - In this specification the term <a>permanently deidentified</a> is used for data that has passed out of the scope of this specification and can not, and will never, come back into scope. The organization that performs the deidentification needs to be confident that the data can never again identify the human subjects whose activity contributed to the data. That confidence may result from ensuring or demonstrating that it is no longer possible to: - </p> + + <p>In this specification the term <a>permanently deidentified</a> is + used for data that has passed out of the scope of this specification + and can not, and will never, come back into scope. The organization + that performs the deidentification needs to be confident that the data + can never again identify the human subjects whose activity contributed + to the data. That confidence may result from ensuring or demonstrating + that it is no longer possible to:</p> + <ul> - <li>isolate some or all records which correspond to a device or user;</li> - <li>link two or more records (either from the same database or different databases), concerning the same device or user;</li> - <li>deduce, with significant probability, information about a device or user.</li> + <li>isolate some or all records which correspond to a device or + user;</li> + + <li>link two or more records (either from the same database or + different databases), concerning the same device or user;</li> + + <li>deduce, with significant probability, information about a device + or user.</li> </ul> - <p> - Regardless of the deidentification approach, unique keys can be used to correlate records within the deidentified dataset, provided the keys do not exist and cannot be derived outside the deidentified dataset and have no meaning outside the deidentified dataset (i.e. no mapping table can exist that links the original identifiers to the keys in the deidentified dataset). - </p> - <p> - In the case of records in such data that relate to a single user or a small number of users, usage and/or distribution restrictions are advisable; experience has shown that such records can, in fact, sometimes be used to identify the user or users despite technical measures taken to prevent reidentification. It is also a good practice to disclose (e.g. in the privacy policy) the process by which deidentification of these records is done, as this can both raise the level of confidence in the process, and allow for for feedback on the process. The restrictions might include, for example: - </p> + + <p>Regardless of the deidentification approach, unique keys can be used + to correlate records within the deidentified dataset, provided the keys + do not exist and cannot be derived outside the deidentified dataset and + have no meaning outside the deidentified dataset (i.e. no mapping table + can exist that links the original identifiers to the keys in the + deidentified dataset).</p> + + <p>In the case of records in such data that relate to a single user or + a small number of users, usage and/or distribution restrictions are + advisable; experience has shown that such records can, in fact, + sometimes be used to identify the user or users despite technical + measures taken to prevent reidentification. It is also a good practice + to disclose (e.g. in the privacy policy) the process by which + deidentification of these records is done, as this can both raise the + level of confidence in the process, and allow for for feedback on the + process. The restrictions might include, for example:</p> + <ul> - <li>technical safeguards that prohibit reidentification of deidentified data and/or merging of the original tracking data and deidentified data;</li> - <li>business processes that specifically prohibit reidentification of deidentified data and/or merging of the original tracking data and deidentified data;</li> - <li>business processes that prevent inadvertent release of either the original tracking data or deidentified data;</li> - <li>administrative controls that limit access to both the original tracking data and deidentified data.</li> + <li>technical safeguards that prohibit reidentification of + deidentified data and/or merging of the original tracking data and + deidentified data;</li> + + <li>business processes that specifically prohibit reidentification of + deidentified data and/or merging of the original tracking data and + deidentified data;</li> + + <li>business processes that prevent inadvertent release of either the [849 lines skipped]
Received on Monday, 29 December 2014 21:35:57 UTC