Priorities

On the compliance side, I think the work of the group needs to be 
focused on generating consensus (or at least a definitive decision) on 
just a few issues.  (As an editor and self-appointed chair, I am taking 
slight liberties with the word limit):

(1) /*Unique identifiers.*/  This has been an intractable issue within 
the group since Day One.  The chairs need to make a definitive decision 
and move on.

(2) /*User agent compliance.*/  This is really two issues --- whether 
the group prescribes user interface for user agents and whether 
third-party ad networks can make subjective determinations about user 
intent.  On user agent interface, I believe the compliance spec has 
erred on the side of being too detailed and prescriptive, so I would 
advise against being prescriptive in this instance too.  However, if the 
group does decide to place prescriptive requirements on user agents, 
then the group needs to specify comparable levels of prescriptive 
requirements on publishers/third parties in getting user permission for 
an exception to Do Not Track.  What's good for the goose is good for the 
gander.  On who decides what is complaint, I do not believe that 
third-party ad networks are well placed to make subjective 
determinations of user intent when they see a DNT signal.  I think the 
appropriate compromise here is that ad networks can respond to a 
particular DNT signal not that the signal is invalid (unless its syntax 
is wrong) but that the ad network will not honor the signal (or 
alternatively they can get an exception).  Perhaps this is just an issue 
of semantics, but in either case it will be incumbent upon the user 
agent to determine how to handle such a rejection.

(3) /*Unlinkability.*/  Now that market research/product 
improvement/aggregate reporting has been removed from permitted uses, I 
think permitted uses is fairly well baked (though we can fruitlessly 
wrangle over wording, of course).  However, that debate has effectively 
moved to the definition of what constitutes unidentifiable/unlinkable 
data such that data cannot reasonably be linked back to an individual.  
The group has had some interesting and occasionally productive 
conversations on this point, but at some point a definitive 
determination needs to be made.

I believe the rest is just details.  Ian and I can quibble about link 
shorteners, but I think the above issues get us 95% of the way home.

I'm not sure it makes sense to continue the meta-discussion about 
whether companies can comply via a different definition of compliance 
than that contained in the compliance spec.  We have worked for over a 
year on the compliance spec; we should make a recommendation.  If at the 
end of the day, companies implement in a different way, W3C cannot stop 
that from happening even if I think that would be a problematic result.

Finally, I continue to think that focusing on defining tracking is a 
distraction.  We've already defined it in writing the compliance 
document.  If people really want to define tracking (which is not an 
operational word in the compliance document), we have two options: (1) 
tracking is "engaging in data collection, use, or retention in violation 
of this standard" or (2) tracking is "the collection and retention of 
data across multiple parties' web domains in a form such that it can be 
attributed to a specific user or device."  If we go for the second 
option, we would need to rename the effort "Limit Web Tracking" which 
perhaps is more forthright anyway.  There are revisions that should be 
made to the other operative definitions such as collection, though I 
ultimately believe these should not be controversial.

-- 
Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman