- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 06 Oct 2011 01:09:18 +0200
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: public-tracking@w3.org
* Aleecia M. McDonald wrote: >If a first-party website outsources functionality to a third-party >website, the third party MAY ignore the Do Not Track signal if ANY >of the following conditions are met: This is conceptually wrong: if you ignore the signal then you do not implement the corresponding specification so its requirements do not apply and hence it is meaningless to allow you to ignore the signal. This would rather have to say that any of the following is sufficient treatment of the signal. >1) The third-party website makes public commitments (such as through >a privacy policy) to not leverage data collected across non-commonly >branded or affiliated sites to develop a "profile" of activity and/or >derived outcomes of interest for a user, specific web browser, or >device. http://lists.w3.org/Archives/Public/public-tracking/2011Sep/0116.html seems to say that First Party may send Third Party logs so Third Party can make pretty charts for First Party, but Third Party cannot use the data for any other purpose, "silo the data for the sole use of that first party". >2) The third-party takes reasonable technical precautions to prevent the >collection of cross-site data in such a manner that it cannot be used to >develop a "profile" of activity and/or derived outcomes of interest for >a user, specific web browser, or device. This is redundant with the first point, if you can claim it cannot be done you can also make the weaker claim that you do not do it. >3) The third-party leverages the data collected purely in the effort to >detect and defend against fraudulent activity to the benefit of the first >party sites it serves. This seems to be saying, as far as the Do Not Track signal goes, it is okay to amass profiles about people so long as they are only used to accuse people of "fraudulent activity" at some point in the future. I do not see how that could be part of the specification. If the group does not wish to or feels unable to resolve the dilemma between legiti- mate security and privacy concerns, then it should declare that out of scope rather than allowing anyone building extensive profiles to claim they honour the Do Not Track signal. They don't. End of story. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 5 October 2011 23:10:02 UTC