Re: Request for comments on priorities for DNT

Comments on Priorities:

1. In recent months there has been a growing sentiment expressed by some that the W3C should only focus on developing a technical standard on how the DNT message should be sent. Deciding how technically to send a message without spelling out what the obligations are for the server that receives the message would produce a meaningless specification. It is essential that our working group produce both the Tracking Preference Expression standard and the Tracking Compliance and Scope standard. One without the other would be useless.  Both must be released at the same time.  

2. I have long been of the view that there is no need to define tracking to complete the WG's task.  Consensus is only needed around what the obligations are of the site that receives a valid DNT message.  Activities that are not allowed when the message DNT message is received would constitute "tracking."  However, if the WG insists on first defining 'tracking," I offer this definition: Tracking is the collection and correlation of data about the Internet activities of a particular user, computer, or device over time and across a website or websites.

3. I suggest we revisit the question of first and third parties and legalistic definitions that users do not understand.  A better approach, as Roy Fielding has suggested may be to follow the European data controller and data processor approach.

Regards,
John

---------
John M. Simpson
Privacy Project Director
Consumer Watchdog
2701 Ocean Park Blvd., Suite 112
Santa Monica, CA, 90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org







On Dec 3, 2012, at 3:24 AM, Roy T. Fielding wrote:

> 1. Define "tracking" and reduce the scope of compliance to turning off
>   that tracking.  We can't expect users to express a preference if we
>   can't explain to them what is intended by DNT:1.  We will never
>   reach agreement on specific use case requirements if we don't agree
>   on the desired effect that those requirements are intended to achieve.
>   If we can't agree on a definition, then close the WG or partition
>   into multiple groups based on each shared objective.
> 
> 2. Fix "party" definitions so that they reflect user intent regarding
>   tracking (see above) instead of legalistic boundaries of ownership.
>   If necessary, use EU definitions of data controller and data processor
>   to target compliance requirements that preserve user transparency
>   and control, regardless of first/third party status for any given
>   interaction.  This will eliminate the need for special requirements
>   on contractors ("service providers") and solve the current problem of
>   compliance definitions that prevent a company from sharing data with
>   its own contractors under NDA.
> 
> 3. Eliminate compliance requirements that require guessing of user
>   intent (e.g., "I am the first party"). Instead, communicate
>   statements of fact (e.g., "I comply with DNT's requirements on
>   a first party") and require that resource deployment be consistent
>   with those statements (e.g., If a resource claims to only comply
>   with requirements on a first party, then the resource owner must
>   not knowingly allow that resource to be deployed in third-party
>   contexts, and must correct any unintentional deployments within
>   a reasonable period after being notified).
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Senior Principal Scientist, Adobe   <http://www.adobe.com/>
> 

Received on Wednesday, 5 December 2012 04:00:43 UTC