- From: Jules Polonetsky <julespol@futureofprivacy.org>
- Date: Wed, 16 Nov 2011 22:55:29 -0500
- To: "'John Simpson'" <john@consumerwatchdog.org>
- Cc: "'Nicholas Doty'" <npdoty@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'Mark Nottingham'" <mnot@mnot.net>, "'Karl Dubost'" <karld@opera.com>, <public-tracking@w3.org>
You mean "must" NOT share data with others, correct? Agree...although perhaps dealt with via definition of a first party as someone who does not passively share data with third parties. -----Original Message----- From: John Simpson [mailto:john@consumerwatchdog.org] Sent: Wednesday, November 16, 2011 10:46 PM To: Jules Polonetsky Cc: Nicholas Doty; Roy T. Fielding; Mark Nottingham; Karl Dubost; <public-tracking@w3.org> Subject: Re: "cross-site" I think there are some "must" requirements on first party sites. specifically they must share data with others ... ---------------- John M. Simpson Consumer Advocate Consumer Watchdog Tel: 310-392-7041 On Nov 16, 2011, at 7:24 PM, "Jules Polonetsky" <julespol@futureofprivacy.org> wrote: > I thought there was consensus that requirements on first parties were "may" > and third parties were "must" or "shall". > > -----Original Message----- > From: Nicholas Doty [mailto:npdoty@w3.org] > Sent: Wednesday, November 16, 2011 10:20 PM > To: Roy T. Fielding > Cc: John Simpson; Mark Nottingham; Karl Dubost; public-tracking@w3.org > WG > (public-tracking@w3.org) > Subject: Re: "cross-site" > > On Nov 16, 2011, at 12:43 AM, Roy T. Fielding wrote: > >> On Nov 15, 2011, at 2:59 PM, John Simpson wrote: >> >>> Perhaps I am missing something, but I don't understand why we need >>> the > reference to "cross-site" nor to "across sites." As a user I want to > send a clear and unambiguous signal that I do not wish to be tracked. > I may be persuaded that first party sites and third party sites have > different obligations when my message is received, but I definitely > want both first and third party sites to get my message. Thus, I > believe the specification should simply read: >>> >>> "This specification defines the technical mechanisms for expressing >>> a > tracking preference via the DNT request header field in HTTP." >> >> No, we've already had this conversation. >> >> We chose to make exceptions for analytics and first-party-exclusive > tracking from the preference expression because they are not a privacy > concern, they do match user expectations, and are necessary for DNT > adoption. > > As John points out, while we do seem to agree that first and third > parties may have different requirements, I'm not aware of a consensus > decision that first parties are entirely excepted from the standards. > In fact, the compliance document currently contains a "First Party > Compliance" section, > ISSUE-17 remains open and first parties could provide meaningful > responses with the proposed response header. > > I also don't remember us choosing to grant an exception for analytics, > besides highlighting that for later discussion. ISSUEs 23 and 24 > haven't been opened yet, though the work on 73 suggests a direction > for one type of analytics. > >> The combination of those two choices requires that we place an >> adjective > before tracking in order to properly define the meaning of the header field. > "cross-site" is good enough for me. We can replace it if somebody > comes up with a better shorthand term. > > I'd be happy with John's suggested text, or with whatever language we > land on in the compliance document (there are open issues there about > "behavioral" as a potential modifier for this purpose). > > -Nick
Received on Thursday, 17 November 2011 03:56:08 UTC