- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Fri, 3 Feb 2012 15:52:56 -0800
- To: Tom Lowenthal <tom@mozilla.com>
- Cc: Lauren Gelman <gelman@blurryedge.com>, Justin Brookman <justin@cdt.org>, public-tracking@w3.org
Substantively, I'm in general agreement.
In the interest of analytical consistency and not conflating issues, I'd avoid siting this content in the high-level compliance section. I'd instead locate the discussion of personalization by IP geolocation, user-agent, and referrer in a contextual personalization exception.
Jonathan
On Feb 3, 2012, at 3:34 PM, Tom Lowenthal wrote:
> ACTION-65 ISSUE-39
>
> Proposed text. Compare with text currently in
> [S-4.1.2](http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party-compliance)
>
> ~~~~
> ### Compliance by a third party {#third-party-compliance}
>
> If the operator of a third-party domain receives a communication to
> which a [DNT-ON] header is attached:
>
> 1. that operator MUST NOT collect or use information related to that
> communication outside of the explicitly expressed exceptions as defined
> within this standard;
> 2. that operator MUST NOT use information about previous communications
> in which the operator was a third party, outside of the explicitly
> expressed exceptions as defined within this standard;
> 3. that operator [MUST NOT or SHOULD NOT] retain information about
> previous communications in which the operator was a third party, outside
> of the explicitly expressed exceptions as defined within this standard.
>
> #### Non-Normative Discussion
>
> It is acceptable to use data sent as part of this particular network
> interaction when composing a response to a [DNT-ON] request, but it is
> not acceptable to store that data any longer than needed to reply. For
> instance, it would be appropriate to use an IP address to guess which
> country a user is in, to avoid showing them an advertisement for
> products or services unavailable where they live.
>
> When using request-specific information to compose a reply, some levels
> of detail may feel invasive to users, and may violate their expectations
> about Do Not Track. These sorts of detailed assessments should be avoided.
>
> *Reasonable behavior*: A user visits you from an IP address which a
> general geo-IP database suggests is in the NYC area, where it is 6pm on
> a Friday. You choose to show an advertisement for theaters and
> restaurants in the area.
>
> *Invasive behavior*: A user visits you from an IP address which suggests
> that they are in a particular ZIP+4, which has a distinctive demographic
> profile. Their user-agent indicates that they are a Mac user, further
> narrowing their expected profile. You serve them an ad for business
> within a few blocks of them which specializes in items which their
> expected profile indicates they may enjoy.
>
> In this example, even though the decision about which ad to serve was
> based exclusively on request specific information, but was still
> tailored to a highly-specific user profile. In particular, the
> estimation of a user's location to within a single ZIP+4 may make a user
> feel that they are being followed closely, even if the decision was made
> on the fly, and the information was only held ephemerally.
>
> ~~~
>
Received on Friday, 3 February 2012 23:53:31 UTC