Re: Does DNT apply only to 3rd parties, and cross-site tracking? from Aleecia M. McDonald on 2011-10-27 (public-tracking@w3.org from October 2011)

From: Aleecia M. McDonald <aleecia@aleecia.com>
Date: Thu, 27 Oct 2011 08:06:51 -0700
To: "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <E5E9EABB-7320-4721-99CC-A8CC24ED3ED4@aleecia.com>
To clarify very quickly --

Matthias is remembering the discussion about how third parties acting on behalf of first parties (for example, analytics) could be treated as agents of the first party. The central idea was if third parties do not combine data across multiple first parties, they are acting as an agent of the first party and should therefore be treated as first parties.  We had a split on how that should happen. Some WG members favored binding third parties by legal contract not to combine data, some WG members favored technical means to silo the data so it could not be combined across multiple first parties, and some thought either approach was fine. As a result of this unresolved split, we did not reach agreement. 

Carmen and John, in contrast, are asking about a far more general case: first parties acting as first parties. They are making the point that first parties can and do track users. We have heard use cases from Jules that boil down to how first party tracking might be a loophole large enough to make our other work nearly irrelevant, we have heard it is fine to track users so long as we change the name Do Not Track to avoid embarrassing press later, we have an open issues on if no restrictions (as the two current proposals stand) means a first party can sell data, and if a first party can buy data, and Shane is willing to limit geographic targeting to MSA, not zip-plus four, and thinks that is the general group thinking. None of this is resolved. It may also be that the formulation of first v. third party is better addressed as a split something like "co-branded known interactions" v. "invisible or unbranded parties," or something along those lines. 

Matthias is also taunting me a bit here. So far the only research on user expectations for Do Not Track is a study I did prior to becoming co-chair. Some participants from the Princeton workshop may recall the early results I presented at there, or Chris Hoofnagle asking a follow up question. 
 
     Aleecia 

Sent from my iPhone

On Oct 27, 2011, at 12:23 AM, Matthias Schunter <mts@zurich.ibm.com> wrote:

> Hi!
> 
> 
> An important agreement at our Boston workshop was that first parties
> need to 'somehow' limit their data exchange for users which have DNT
> turned on. The term Jonathan used was 'silo-ing' potential  tracking data.
> 
> Technically, without such a requirement, any party (including 3rd)
> would be permitted to collect any data via the first party, which
> would permit arbitrary data collecting and tracking. I personally
> believe this would not meet user expectations.
> 
> 
> Regards,
> matthias
> 
> 
> On 10/27/2011 7:36 AM, Aleecia M. McDonald wrote:
>> Hi Carmen,
>> 
>> You are correct that it is not resolved what (if anything) first parties will need to do to comply. You are also correct that there has been quite a lot of prior discussion in this area, and strawman documents reflect the general direction of those discussions. 
>> 
>> Most links to information for the working group are available from the main page, http://www.w3.org/2011/tracking-protection/    There you can find links to:
>> 
>>    - The archive of this mailing list, http://lists.w3.org/Archives/Public/public-tracking/
>>    - The issue and action tracker, http://www.w3.org/2011/tracking-protection/track/
>>       When you know specific issues you are interested in, you can find them here (look for the link on the far right for "all") and see a summary of every mailing list discussion that mentions that issue by number. 
>>    - Minutes from prior meetings
>> 
>> There are also a number of working group members who have worked on Do Not Track in prior contexts, or refer to what Do Not Track was intended to solve. This is interesting and useful history, but the W3C working group may choose to go in new directions. For example, we are not likely to go with the very early plan of having users register for DNT. :-)  
>> 
>>    Aleecia
>> 
>> On Oct 26, 2011, at 7:22 AM, Carmen Balber wrote:
>> 
>>> As a newcomer I missed your initial discussions, so I'm hoping someone can
>>> help fill me in on something I noticed in the Tracking Preference Expression
>>> strawman doc, and to a lesser extent the Compliance doc: Both presume that
>>> DNT would apply only to 3rd parties, or that tracking is defined to include
>>> only cross-site tracking.
>>> 
>>> For example, in the Tracking Preference Expression Introduction:  "... we
>>> need a mechanism for the user to express their own preference regarding
>>> cross-site tracking that is both simple to configure and efficient when
>>> implemented. Likewise, since some Web sites may be dependent on the revenue
>>> obtained from targeted advertising and unwilling (or unable) to permit use
>>> of their content without cross-site data collection, we need a mechanism for
>>> sites to alert the user to those requirements and allow the user to
>>> opt-back-in to tracking for specific sites."
>>> 
>>> And in the same document, 4. Expressing a Tracking Preference - "When a user
>>> has configured a tracking preference, that preference needs to be expressed
>>> to all mechanisms that might perform or initiate tracking by third parties,
>>> including sites that the user agent communicates with via HTTP, scripts that
>>> can extend behavior on pages, and plug-ins or extensions that might be
>>> installed and activated for various media types."
>>> 
>>> Isn't the question of limiting the definition of tracking to cross-site
>>> tracking still open as Issue 5 - the definition?
>>> 
>>> Has the question of whether DNT would apply to 1st parties as well as 3rd
>>> parties been discussed and resolved, and if so is that discussion reflected
>>> anywhere?
>>> 
>>> Many thanks,
>>> Carmen
>>> -- 
>>> Carmen Balber
>>> Washington Director
>>> Consumer Watchdog
>>> 413 E. Capitol St. SE, 1st Floor
>>> Washington, D.C  20003
>>> p:(202) 629-3043
>>> http://www.consumerwatchdog.org
>>> 
>>> On 10/25/11 1:11 AM, "Roy T. Fielding" <fielding@gbiv.com> wrote:
>>> 
>>>> Hi all,
>>>> 
>>>> I have been trying to get the TPE spec into reasonable shape for review
>>>> as a straw-man document.  It is still missing a couple of legs, but
>>>> it would be best if you could review the parts that are in place before
>>>> the teleconference on Wednesday.
>>>> 
>>>> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html
>>>> 
>>>> Please note that it is the nature of straw-man documents that they do not
>>>> represent working group consensus by any stretch of the imagination.
>>>> It is intended to push forward in areas that I think we might actually
>>>> have consensus, if I'm lucky, and take mild steps forward in areas
>>>> where we clearly don't.
>>>> 
>>>> The parts that I have yet to add are the ones we have discussed most,
>>>> namely the responses to DNT.  My goal is to have that in the document,
>>>> as a set of alternatives, before we freeze it on Thursday, but please
>>>> don't wait until then to review the other parts of the document.
>>>> 
>>>> 
>>>> Cheers,
>>>> 
>>>> Roy T. Fielding                     <http://roy.gbiv.com/>
>>>> Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 
> -- 
> Dr. Matthias Schunter, MBA
> IBM Research - Zurich, Switzerland
> Ph. +41 (44) 724-8329,  schunter(at)acm.org
> PGP 989A A3ED 21A1 9EF2 B005 8374 BE0E E10D
> VCard: http://www.schunter.org/schunter.vcf
> 
>
Received on Thursday, 27 October 2011 15:07:45 UTC