W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

RE: From Shane

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 5 Oct 2011 20:22:29 -0700
To: Bjoern Hoehrmann <derhoermi@gmx.net>, "Aleecia M. McDonald" <aleecia@aleecia.com>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D01C95192@SP2-EX07VS02.ds.corp.yahoo.com>

>If a first-party website outsources functionality to a third-party
>website, the third party MAY ignore the Do Not Track signal if ANY
>of the following conditions are met:

This is conceptually wrong: if you ignore the signal then you do not
implement the corresponding specification so its requirements do not
apply and hence it is meaningless to allow you to ignore the signal.
This would rather have to say that any of the following is sufficient
treatment of the signal.

[Depending on the core definition of DNT, this could be conceptually correct in statement but I believe the core issue at hand is more what is in scope with respect to DNT and what is not for 3rd party.  We can focus on specific wording the context of the actual definition afterwards.]

>1) The third-party website makes public commitments (such as through
>a privacy policy) to not leverage data collected across non-commonly
>branded or affiliated sites to develop a "profile" of activity and/or
>derived outcomes of interest for a user, specific web browser, or

seems to say that First Party may send Third Party logs so Third Party
can make pretty charts for First Party, but Third Party cannot use the
data for any other purpose, "silo the data for the sole use of that
first party".

[Agreed - I should add the caveat "for behavioral advertising purposes" to end of the condition to separate analytics from OBA.  

"...to not leverage data collected across non-commonly branded or affiliated sites to develop a profile of activity and/or derived outcomes of interest for a user, specific web browser, or device for behavioral advertising purposes."]

>2) The third-party takes reasonable technical precautions to prevent the
>collection of cross-site data in such a manner that it cannot be used to
>develop a "profile" of activity and/or derived outcomes of interest for
>a user, specific web browser, or device.

This is redundant with the first point, if you can claim it cannot be
done you can also make the weaker claim that you do not do it.

[This is not redundant as the initial condition is "ANY" of these may occur so EITHER condition #1, #2, OR #3 satisfy the condition.]

>3) The third-party leverages the data collected purely in the effort to
>detect and defend against fraudulent activity to the benefit of the first
>party sites it serves.

This seems to be saying, as far as the Do Not Track signal goes, it is
okay to amass profiles about people so long as they are only used to
accuse people of "fraudulent activity" at some point in the future. I
do not see how that could be part of the specification. If the group
does not wish to or feels unable to resolve the dilemma between legiti-
mate security and privacy concerns, then it should declare that out of
scope rather than allowing anyone building extensive profiles to claim
they honour the Do Not Track signal. They don't. End of story.

[The sequel... :-)  I believe it will be helpful in the development of the DNT standard to articulate what data uses may continue even if the DNT signal is activated.  In this case, while the intention is to not "accuse people of fraudulent activity" there is a real business need to leverage data to detect and defend against fraudulent and malicious activity to protect both consumers and the businesses they interact with.  By saying it is out of scope, wouldn't that mean this data use is "allowed" even if the DNT signal is received (does Out of Scope in this context mean is covered or not covered)?  Is it better to ignore this (Out of Scope) or to address it more directly (define permissible uses)?  There are solid arguments in either direction but I'm leaning towards scoping in permitted uses rather than leave this as an open question.]

Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Thursday, 6 October 2011 03:23:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:25 UTC