W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

RE: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119)

From: Kevin Smith <kevsmith@adobe.com>
Date: Thu, 16 Feb 2012 10:50:19 -0800
To: "Amy Colando (LCA)" <acolando@microsoft.com>, John Simpson <john@consumerwatchdog.org>, "Aleecia M. McDonald" <aleecia@aleecia.com>
CC: "(public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF3064CAB580B@nambx07.corp.adobe.com>
So, if I understand it right, we want a super-not-tracker response option because otherwise privacy-protective sites would be afraid that being DNT-compliant would imply that they ARE tracking according to what is permissible under the DNT standard?  Wouldn't being non-DNT compliant imply even more?  I agree with Amy.  What makes you think "Duck Duck Go" is a privacy protective site?  Clearly, since you know that, they have done a good job of communicating such, and should continue to do so.  If they kept their current level of privacy protection, and communicated their policy in the same way they are now, would you really start to doubt their intentions because they also declare they are DNT compliant?

From: Amy Colando (LCA) [mailto:acolando@microsoft.com]
Sent: Thursday, February 16, 2012 11:42 AM
To: John Simpson; Aleecia M. McDonald
Cc: (public-tracking@w3.org)
Subject: RE: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119)

I don't recall the discussion in Brussels on the necessity of this text - and I am trying to understand what place it would have in the specification.  Would there be a separate response header for such sites?  Even if that was this case, how could that response header, or a W3C standards document, possibly be more discoverable than "an unread privacy policy" on the site itself?  I don't understand why the site cannot simply claim - in a prominent location as they wish - that they do not collect any data whatsoever.  I personally think that Duck, Duck Go<http://duckduckgo.com/> does a great job of this in their UI (although for the record, I do not like herpes).

From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Thursday, February 16, 2012 10:21 AM
To: Aleecia M. McDonald
Cc: (public-tracking@w3.org)
Subject: Re: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119)


"Exceeds the compliance standard and does not collect and retain any data."

On Feb 15, 2012, at 11:48 PM, Aleecia M. McDonald wrote:

To the best of my recollection there was no objection to this issue when we agreed to take it up in Belgium. I think we are having word choice difficulty, plus have lost sight of the point of the issue. The use case, as I understood it from Tom, was for the sites like Duck, Duck, Go that will not implement DNT because they are afraid their users will think they do all of the various things allowed under DNT. It was not to create some new hurdle companies should do, but rather to give those (few, for commercial sites, I expect) who already follow the practices Ninja a way to make that clear to their users, beyond an un-read privacy policy. Otherwise, we will continue to have the odd situation that the most privacy-protective sites do not want to adopt DNT for fear it will scare their users away.

Bottom line: can someone suggest a better label for this than "absolutely not tracking"?


On Feb 15, 2012, at 9:48 AM, Kevin Smith wrote:

I agree with some of the sentiment expressed.  I think this would make the standard confusing.  What does it mean if you are compliant but do not send in "I absolutely do not track".  It means you do not track according to the doc, but you do track according to absolutely not tracking?  Very confusing.  Calling this thing DNT was bad enough.  Now we are suggesting variable levels of "not tracking"?

-----Original Message-----
From: Chris Pedigo [mailto:CPedigo@online-publishers.org]<mailto:[mailto:CPedigo@online-publishers.org]>
Sent: Tuesday, February 14, 2012 7:28 AM
To: Roy T. Fielding; Nicholas Doty
Cc: Ninja Marnau; <public-tracking@w3.org<mailto:public-tracking@w3.org>> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: RE: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119)

It seems to me that if a company didn't engage in any "tracking" then that company could just claim that.  They don't need a DNT standard to say so.  But, building such language into this standard would put compliant companies in a no-win situation.  This group has generally agreed to carve out first party activities.  Let's just call it a win and move on to other more important issues.

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com]<mailto:[mailto:fielding@gbiv.com]>
Sent: Monday, February 13, 2012 7:00 PM
To: Nicholas Doty
Cc: Ninja Marnau; <public-tracking@w3.org<mailto:public-tracking@w3.org>> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119)

This is regarding ISSUE-5

On Feb 13, 2012, at 3:32 PM, Nicholas Doty wrote:
On Feb 13, 2012, at 3:04 PM, Roy T. Fielding wrote:
On Feb 13, 2012, at 1:09 PM, Nicholas Doty wrote:

Hi Roy,

On Feb 13, 2012, at 12:49 PM, Roy T. Fielding wrote:
Please be aware that this would require Apache httpd to respond
that it is always tracking, by default, regardless of how the
underlying services are implemented.  Likewise for Squid,
TrafficServer, haproxy, and all other HTTP servers that I am aware of.

If we can't find a definition that allows HTTP access logs and
normal retention for fraud control, then let's give up.  I will not
implement DNT if it can be used as a bypass for fraud and security controls.

As I believe Ninja noted, this is *not* intended as a set of requirements for compliance with a DNT header, just a meaningful and entirely optional description that a site can use if it absolutely isn't tracking.

I do not believe that is helpful.  It implies that anything in that
list is tracking, which is false, and it implies that any site doing
those things can't claim it is absolutely not tracking, which is not
a desirable result (it makes this standard useless).

I'm confused, why would that make the standard useless? I thought the group had largely agreed on compliance as a broad prohibition of tracking with an enumerated list of exceptions for business purposes where tracking is allowable.

No, the group has not even remotely agreed to any definition of tracking.
It wasn't even close -- five different ideas, each with distinct groups interested in that idea.

If a site doesn't need any of those exceptions and simply isn't retaining data about users, why would it be unhelpful for them to have a way to say so?

Maybe you're concerned about the terminology of "absolutely not tracking" as opposed to 'complying with the DNT preference'? Better terminology would be great. Personally, I just honestly can't see why it's harmful for sites to be able to say that they're going above and beyond a compliance standard.

It is harmful to place that text in the specification because there are many other sites that are absolutely not tracking and those sites will also be sending a response that says they are absolutely not tracking.  Adding text in the spec that excludes those sites is a contradiction in terms.

If there is an alternate definition that could accommodate common httpd configurations and still communicate to the user that to a more complete level no tracking is occurring, it would be great to see that option.

Here is an alternative:

A party may claim that it is not tracking if

1) the party does not retain data from requests in a form that might
identify a user except as necessary to fulfill that user's intention
(e.g., credit card billing data is necessary if the user is making a
purchase) or for the limited purposes of access security, fraud
prevention, or audit controls;

2) when user-identifying data is retained for purposes other than to
fulfill the user's intention, the party maintains strict
confidentiality of that data and only retains that data for a limited
duration that is no longer than is necessary to accomplish that
purpose, thereafter destroying or otherwise clearing the
user-identifying data; and,

3) the party does not combine or correlate collected user-identifying
data with any other data obtained from prior requests,
user-identifying profiles, or data obtained from third parties unless
specifically directed to do so by the user (e.g., when a user
initiates a login request) or for the limited purposes of inspection
for access security, fraud prevention, or audit controls.

Is this alternative just a re-statement of one outcome of the compliance doc or do you think this is an optional level beyond compliance? (I believe we're aiming for the latter in ISSUE-119.) I personally would think "absolutely not tracking" wouldn't include retaining identifying data for business purposes outside of the user's intent for an indeterminate length of time.


John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
Received on Thursday, 16 February 2012 18:51:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:34 UTC