- From: Lauren Gelman <gelman@blurryedge.com>
- Date: Mon, 6 Feb 2012 17:18:12 -0800
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: Tom Lowenthal <tom@mozilla.com>, Justin Brookman <justin@cdt.org>, public-tracking@w3.org
I don't understand how the text of this exemption [exception?] is limited to geo-location, but the subject matter should be part of the exception conversation. It looks like a use limitation-- If someone is DNT:1, you can either collect and use their IP address for the purposes of targeting them based on location, or you cannot. You can either show them an ad for a service/good/store proximate to them, or you cannot. You can either combine geo info with other info to do more targeted-targeting, or you cannot.
I think use cases like you describe that try to draw a line based on some sort of creepiness quotient are going to be impossible to implement. IP is a type of unique identifier, just like a referrer ID is a type of unique identifier, as are other cookies and tags. They need to be treated as such.
[I am also generally against the idea that DNT is only about limiting the perception of tracking and not about actually limiting tracking, but I don't think that you need to agree with me on this point]
On Feb 3, 2012, at 3:52 PM, Jonathan Mayer wrote:
> Substantively, I'm in general agreement.
>
> In the interest of analytical consistency and not conflating issues, I'd avoid siting this content in the high-level compliance section. I'd instead locate the discussion of personalization by IP geolocation, user-agent, and referrer in a contextual personalization exception.
>
> Jonathan
>
> On Feb 3, 2012, at 3:34 PM, Tom Lowenthal wrote:
>
>> ACTION-65 ISSUE-39
>>
>> Proposed text. Compare with text currently in
>> [S-4.1.2](http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party-compliance)
>>
>> ~~~~
>> ### Compliance by a third party {#third-party-compliance}
>>
>> If the operator of a third-party domain receives a communication to
>> which a [DNT-ON] header is attached:
>>
>> 1. that operator MUST NOT collect or use information related to that
>> communication outside of the explicitly expressed exceptions as defined
>> within this standard;
>> 2. that operator MUST NOT use information about previous communications
>> in which the operator was a third party, outside of the explicitly
>> expressed exceptions as defined within this standard;
>> 3. that operator [MUST NOT or SHOULD NOT] retain information about
>> previous communications in which the operator was a third party, outside
>> of the explicitly expressed exceptions as defined within this standard.
>>
>> #### Non-Normative Discussion
>>
>> It is acceptable to use data sent as part of this particular network
>> interaction when composing a response to a [DNT-ON] request, but it is
>> not acceptable to store that data any longer than needed to reply. For
>> instance, it would be appropriate to use an IP address to guess which
>> country a user is in, to avoid showing them an advertisement for
>> products or services unavailable where they live.
>>
>> When using request-specific information to compose a reply, some levels
>> of detail may feel invasive to users, and may violate their expectations
>> about Do Not Track. These sorts of detailed assessments should be avoided.
>>
>> *Reasonable behavior*: A user visits you from an IP address which a
>> general geo-IP database suggests is in the NYC area, where it is 6pm on
>> a Friday. You choose to show an advertisement for theaters and
>> restaurants in the area.
>>
>> *Invasive behavior*: A user visits you from an IP address which suggests
>> that they are in a particular ZIP+4, which has a distinctive demographic
>> profile. Their user-agent indicates that they are a Mac user, further
>> narrowing their expected profile. You serve them an ad for business
>> within a few blocks of them which specializes in items which their
>> expected profile indicates they may enjoy.
>>
>> In this example, even though the decision about which ad to serve was
>> based exclusively on request specific information, but was still
>> tailored to a highly-specific user profile. In particular, the
>> estimation of a user's location to within a single ZIP+4 may make a user
>> feel that they are being followed closely, even if the decision was made
>> on the fly, and the information was only held ephemerally.
>>
>> ~~~
>>
>
Lauren Gelman
BlurryEdge Strategies
415-627-8512
gelman@blurryedge.com
http://blurryedge.com
Received on Wednesday, 8 February 2012 20:57:07 UTC