RE: High-level text on third-party responsibilities (ACTION-38, ISSUE-19)

Jonathan,

User vs. User Agents:  It was my understanding that we'd define "User" to cover user agents as well rather than continually needing to list out both.  If everyone agrees, this will shorten and simply the language we use through-out the document.

Data Retention:  If data isn't collected, it cannot be retained.  It would appear the addition here is attempting to address previously collected data which is being addressed in Issue 71 (http://www.w3.org/2011/tracking-protection/track/issues/71).  <Personal opinion: DNT signal MUST be applied prospectively and MAY also be applied retrospectively.>

Exception Clarity:  I agree that this should not be interpreted as an "open to interpretation" exception clause - and believe the current proposal addresses that perspective.  I've have taken another pass at the statement to attempt to address your concern that exceptions as a class are somehow nebulous within the previous wording.

Updated Recommended Language:  A 3rd party may not collect or use information related to communication with a user outside of explicitly expressed exceptions as defined within the standard.  Supported exceptions are: ....  

Thoughts?

- Shane

-----Original Message-----
From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
Sent: Wednesday, December 07, 2011 11:41 AM
To: Shane Wiley
Cc: <public-tracking@w3.org> (public-tracking@w3.org)
Subject: Re: High-level text on third-party responsibilities (ACTION-38, ISSUE-19)

A few design considerations from my version of the high-level rule:

-Do Not Track should address communication with user agents in addition to users since in many (if not most) cases the user will be unaware of and have no explicit interaction with a third party.

-In my view of the key terms, data collection is bits arriving at a third party, data retention is a third party keeping bits, and data use is a third party applying logic to bits.  I think Do Not Track should, at a high level, prohibit all three; each exception should narrowly define a set of permissible collection/retention/use practices.  (We may also want to address data sharing, when a third party hands bits to another party.)

-Exceptions in the high-level rule should be explicitly linked to the subsequent exception definitions.  We might otherwise create ambiguity about the scope of exceptions and, in particular, might suggest there are broad use-based exceptions.

On Dec 7, 2011, at 9:13 AM, Shane Wiley wrote:

> Proposed Update:
> 
> A 3rd party may not collect or use information related to communication with a user outside of supported exceptions.  Supported exceptions are: ....
> 
> - Shane
> 
> -----Original Message-----
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Wednesday, December 07, 2011 10:10 AM
> To: <public-tracking@w3.org> (public-tracking@w3.org)
> Subject: High-level text on third-party responsibilities (ACTION-38, ISSUE-19)
> 
> A third party may not collect, retain, or use any information related to communication with a user or user agent.  There are exceptions to this general rule for _____, _____, and _____ as defined in the following sections.
> 
> 

Received on Thursday, 8 December 2011 06:03:04 UTC