W3C home > Mailing lists > Public > public-tracking@w3.org > December 2011

RE: [ISSUE-5] What is the definition of tracking?

From: Kevin Smith <kevsmith@adobe.com>
Date: Mon, 12 Dec 2011 10:24:28 -0800
To: "Aleecia M. McDonald" <aleecia@aleecia.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064C4FF625@nambx07.corp.adobe.com>
It was exactly the philosophical discussions I was trying to avoid.  I am not trying to say we need to define tracking or privacy etc (perhaps I should have attached it to a different issue).  Quite the contrary - I am suggesting that we greatly simplify our discussions by clearly stating our intent and then leaving the philosophy out of it.  We need to put a line in the sand somewhere.  The end result of not doing so and leaving so many high level questions unanswered is exactly what Aleecia is trying to avoid -- long discussions which monopolize our time that I personally do not think are pertinent to the end result (such as focusing so much on 1st vs 3rd parties which is only relevant because 1st parties are allowed to track.  However neither are allowed to cross track)

I propose that we state our intent to be:  To provide controls to the user to prevent any tracking or targeting across non-same branded sites (with a few exceptions to when cross tracking would be permissible).  This is a much more solvable challenge, and I believe it to be in alignment with the majority or participants.  Am I wrong?

I think Aleecia's example on collection is perfect because it highlights both sides of the argument.  There is a faction (understandably focused on timelines) that feels great when decisions like that are made because they feel like we are making progress towards the end document.  I also see a large faction that see these decisions as completely meaningless because the context behind the decision has not been defined.  (ie - Saying DNT:1 means that a 3rd party cannot track is meaningless unless you define what track means).  I personally am somewhere on the fence between these 2 approaches.  I think there are some decisions you can make in abstract, however you always take the risk that once the abstract becomes concrete, your decision may be wrong or not even pertinent.

-----Original Message-----
From: Aleecia M. McDonald [mailto:aleecia@aleecia.com] 
Sent: Monday, December 12, 2011 1:50 AM
To: Tracking Protection Working Group WG
Subject: Re: [ISSUE-5] What is the definition of tracking?


For those newer to our merry band, I generally read threads carefully but generally let them take their own course. On this one I'm going to step in and make a request: if you absolutely are determined to have this discussion, please take it to public-privacy (or I can ask to set up a new meta discussion list, if that's favored) rather than attempting to hash this out on the public-tracking list, where we are also trying to get work done with deadlines attached. 

Bjoern is correct that the charter is very broad. Several people agree with the idea that we must figure out why we are here, what we want to accomplish, and we should start with principles like what is privacy, does privacy matter and if so to whom, and so forth. While I have some sympathy for that view, I've pushed not to have those discussions. There are two reasons for this (and Jonathan provided some excellent additional reasons).

The first is simply time. We could readily spend from now until June and still not agree on what "tracking" means. It would be a fascinating discussion, I am sure, but the mailing list discussion is not a deliverable. We have standards documents to get done in a very short time. Right now there are three topics I wish to discuss on the Wednesday call, all with text at least one author is over-due writing. For my own part, I owe email responses to several WG members right now, including on some important issues (and hope to be fully caught up by the end of Monday). These sorts of meta-discussions can soak up arbitrary amounts of time, and are potentially very distracting from work we all need to get done. 

The second is I do not think we will come to agreement on the higher-level philosophical issues. Across the span of the membership, we hold very different views. We will continue to pick up new members over time, which makes it even less plausible that we can hash this out once and for all and move on. 

Fortunately, we are not here to solve world peace. I believe we can make good consensus decisions on how to create recommendations everyone can live with, even when we have different reasons for reaching those agreements. We also have some good common ground on goals. From the first meeting in Santa Clara on, we have been talking about writing a recommendation that companies can implement, and that works to give users additional control. 

Let me take an example. Are we working on data collection, or not? When phrased that way we could spend weeks debating the pros and cons. And for some WG members, this becomes a guessing game about FTC intentions: data collection is required in the staff report that came out a year ago, but does that mean all collection, most collection, or is just limiting a little collection going to be enough to satisfy the FTC? What does "collection" mean, anyway? Are IP addresses collected even if they are not logged? What about Germany's laws around IP addresses? If we take the broad question of "collection or not?" we could spend a lot of energy and still not have standards language. And yet. When we had a phone conference, we agreed in extraordinarily short time that third parties receiving DNT: 1 stop data collection, unless covered by an exemption. As of that call, data collection is part of the recommendation. 

One of the things I am thinking about quite a bit right now is how we can create recommendations that are useful in different countries, with different laws and values. I am thinking of this as how to simultaneously "solve for the US" and "solve for Germany" with the assumption that if we can manage both, we have a pretty good range. I think this is possible to do at once. It does *not* mean trying to figure out if the US or Germany is "right" on privacy -- not only is that a hopeless task, mercifully it is not ours to take on. There are regulators and lawmakers aplenty. What we are uniquely positioned to do is to work out standards that support those different value systems, not try to standardize values. 

I have just gone into philosophy on why I think we should not get too far into philosophy. Sigh.

Received on Monday, 12 December 2011 18:30:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:28 UTC