- From: John Simpson <john@consumerwatchdog.org>
- Date: Wed, 16 Nov 2011 19:51:29 -0800
- To: John Simpson <john@consumerwatchdog.org>
- Cc: Jules Polonetsky <julespol@futureofprivacy.org>, Nicholas Doty <npdoty@w3.org>, "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Karl Dubost <karld@opera.com>, "<public-tracking@w3.org>" <public-tracking@w3.org>
Sorry, left out NOT. First parties must NOT share data with others. ---------------- John M. Simpson Consumer Advocate Consumer Watchdog Tel: 310-392-7041 On Nov 16, 2011, at 7:45 PM, John Simpson <john@consumerwatchdog.org> wrote: > I think there are some "must" requirements on first party sites. specifically they must share data with others ... > > ---------------- > John M. Simpson > Consumer Advocate > Consumer Watchdog > Tel: 310-392-7041 > > > On Nov 16, 2011, at 7:24 PM, "Jules Polonetsky" <julespol@futureofprivacy.org> wrote: > >> I thought there was consensus that requirements on first parties were "may" >> and third parties were "must" or "shall". >> >> -----Original Message----- >> From: Nicholas Doty [mailto:npdoty@w3.org] >> Sent: Wednesday, November 16, 2011 10:20 PM >> To: Roy T. Fielding >> Cc: John Simpson; Mark Nottingham; Karl Dubost; public-tracking@w3.org WG >> (public-tracking@w3.org) >> Subject: Re: "cross-site" >> >> On Nov 16, 2011, at 12:43 AM, Roy T. Fielding wrote: >> >>> On Nov 15, 2011, at 2:59 PM, John Simpson wrote: >>> >>>> Perhaps I am missing something, but I don't understand why we need the >> reference to "cross-site" nor to "across sites." As a user I want to send a >> clear and unambiguous signal that I do not wish to be tracked. I may be >> persuaded that first party sites and third party sites have different >> obligations when my message is received, but I definitely want both first >> and third party sites to get my message. Thus, I believe the specification >> should simply read: >>>> >>>> "This specification defines the technical mechanisms for expressing a >> tracking preference via the DNT request header field in HTTP." >>> >>> No, we've already had this conversation. >>> >>> We chose to make exceptions for analytics and first-party-exclusive >> tracking from the preference expression because they are not a privacy >> concern, they do match user expectations, and are necessary for DNT >> adoption. >> >> As John points out, while we do seem to agree that first and third parties >> may have different requirements, I'm not aware of a consensus decision that >> first parties are entirely excepted from the standards. In fact, the >> compliance document currently contains a "First Party Compliance" section, >> ISSUE-17 remains open and first parties could provide meaningful responses >> with the proposed response header. >> >> I also don't remember us choosing to grant an exception for analytics, >> besides highlighting that for later discussion. ISSUEs 23 and 24 haven't >> been opened yet, though the work on 73 suggests a direction for one type of >> analytics. >> >>> The combination of those two choices requires that we place an adjective >> before tracking in order to properly define the meaning of the header field. >> "cross-site" is good enough for me. We can replace it if somebody comes up >> with a better shorthand term. >> >> I'd be happy with John's suggested text, or with whatever language we land >> on in the compliance document (there are open issues there about >> "behavioral" as a potential modifier for this purpose). >> >> -Nick >
Received on Thursday, 17 November 2011 03:52:37 UTC