Re: Issue-17, Issue-51 First party obligations; Issue-5 Definition of Tracking


One of the reasons Consumer Watchdog is here, and other public interest organizations have been invited to participate, is to help identify concepts that the usual W3C participants, no matter how well-intentioned, may not have considered from the consumer point of view.

Though some -- perhaps many -- in this group define DNT to mean do not track me across non-same-branded sites, that is not how we believe a user will understand it. Users expect DNT to mean do not track what I'm doing, and donít necessarily make the distinction between activity on one site or across sites. I understand that the forthcoming study from Jon Peha and Aleecia on user expectations of DNT is likely to back this up. (Aleecia - What is the status of this research?)

Yes, it is certainly true that consumers are aware of and expect some 1st party tracking. For example most people expect Amazon to remember purchases and suggest purchases later. But that is primarily because we're all so familiar with Amazonís recommendation service. I have no expectation that the New York Times is tracking my reading habits, and using that information to advertise to me, or filter what articles I see next time I visit Consumers are generally not aware of and do not expect the myriad ways sites track information. 

It seems to me that that this group should define DNT to conform as closely as possible to consumers' expectations, and that is much broader than merely limiting DNT to non-same-branded sites. While they expect DNT to apply to 1st party sites, I think they will accept the idea that the DNT requirements on 1st Party tracking are less stringent than those on 3rd party sites.

It then becomes incumbent on us to make clear the reasons for those exceptions and justify them to the user. However, if this group is going to define DNT to merely mean DNT across non-same-branded sites, it will be too far out of synch with user expectations. Consumers are likely to enable DNT, find out they're still being tracked by 1st parties against their expectations, and lose faith in the entire function. 

In regards to private browsing mode: Although this feature gives consumers the option of preventing their online activities from being recorded on their own computer, it does not prevent any website, 1st or 3rd party, from collecting information on a session, including identifying user information such as IP address, and retaining it for future use. If it did, we'd already have a usable DNT option. Privacy mode -- aka "porn mode" -- protects the users' privacy from others who share the computer.  The classic public use example is that your spouse won't know you've been shopping for a gift for them...

As to companies not implementing DNT if it applies to analytics: it has already been suggested that analytics is a space where exceptions may apply. Fraud prevention is another area.

Best regards,

Tags: Issue-17,Issue-51, Issue-5

On Nov 28, 2011, at 5:42 PM, Roy T. Fielding wrote:

> On Nov 28, 2011, at 5:13 PM, John Simpson wrote:
>> Roy,
>> Sorry, I don't follow you. Why is DNT orthogonal to private browsing?  I'm simply trying to state what my expectation is as a user if I enable DNT.  I intuitively expect to interact with a 1st Party for that transaction, but why would I expect the site to continue to use that information for anything in the future if I have enabled DNT?
> Because DNT does not mean "do not track".  It means do not track me
> across non-same-branded sites. If you have a user expectation that
> differs from that, then we need to fix that expectation (not DNT).
> The expectation you expressed above is already implemented in browsers
> as private browsing mode.  We have no need to duplicate it in DNT
> because it can be turned on in addition to DNT.  That is a user choice.
> I, as an implementor, will not implement DNT if it has a significant
> impact on analytics beyond sharing data with 3rd parties.
> There is no implied right to privacy regarding data provided by
> a user when they deliberately choose to enter an establishment,
> which means the stuff we see in access logs, first-party cookies,
> and contracted analytics providers that silo data per site
> should not be impacted by DNT.  It may well be impacted by other
> regulations, depending on context, but not by DNT.
> ....Roy

John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902

Received on Wednesday, 30 November 2011 00:08:34 UTC