W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: From Shane

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 06 Oct 2011 01:09:18 +0200
To: "Aleecia M. McDonald" <aleecia@aleecia.com>
Cc: public-tracking@w3.org
Message-ID: <enfp87lbah2ah6lccf19rp4du2kqs64gf8@hive.bjoern.hoehrmann.de>
* Aleecia M. McDonald wrote:
>If a first-party website outsources functionality to a third-party
>website, the third party MAY ignore the Do Not Track signal if ANY
>of the following conditions are met:

This is conceptually wrong: if you ignore the signal then you do not
implement the corresponding specification so its requirements do not
apply and hence it is meaningless to allow you to ignore the signal.
This would rather have to say that any of the following is sufficient
treatment of the signal.

>1) The third-party website makes public commitments (such as through
>a privacy policy) to not leverage data collected across non-commonly
>branded or affiliated sites to develop a "profile" of activity and/or
>derived outcomes of interest for a user, specific web browser, or
>device.

http://lists.w3.org/Archives/Public/public-tracking/2011Sep/0116.html
seems to say that First Party may send Third Party logs so Third Party
can make pretty charts for First Party, but Third Party cannot use the
data for any other purpose, "silo the data for the sole use of that
first party".

>2) The third-party takes reasonable technical precautions to prevent the
>collection of cross-site data in such a manner that it cannot be used to
>develop a "profile" of activity and/or derived outcomes of interest for
>a user, specific web browser, or device.

This is redundant with the first point, if you can claim it cannot be
done you can also make the weaker claim that you do not do it.

>3) The third-party leverages the data collected purely in the effort to
>detect and defend against fraudulent activity to the benefit of the first
>party sites it serves.

This seems to be saying, as far as the Do Not Track signal goes, it is
okay to amass profiles about people so long as they are only used to
accuse people of "fraudulent activity" at some point in the future. I
do not see how that could be part of the specification. If the group
does not wish to or feels unable to resolve the dilemma between legiti-
mate security and privacy concerns, then it should declare that out of
scope rather than allowing anyone building extensive profiles to claim
they honour the Do Not Track signal. They don't. End of story.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 5 October 2011 23:10:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:41 UTC