Re: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119) from Jeffrey Chester on 2012-02-19 (public-tracking@w3.org from February 2012)

From: Jeffrey Chester <jeff@democraticmedia.org>
Date: Sun, 19 Feb 2012 12:48:54 -0500
To: "Jules Polonetsky" <julespol@futureofprivacy.org>
Cc: "'Rigo Wenning'" <rigo@w3.org>, <public-tracking@w3.org>, "'Ninja Marnau'" <nmarnau@datenschutzzentrum.de>, "'Roy T. Fielding'" <fielding@gbiv.com>
Message-id: <B964658E-EAC7-4D3D-B3D9-A1CD1A8B491D@democraticmedia.org>

I agree we should cover nonprofits.   Universities, esp private for-profits--use behavioral targeting and lots of tracking.  That's how they find targets for high-priced college loans in the US.




Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org
www.digitalads.org
202-986-2220

On Feb 18, 2012, at 7:21 PM, Jules Polonetsky wrote:

> A quick look at EU and US university sites indicates plenty of tracking.
> (depending on what we consider tracking)....
> 
> Universities aren't acting as publishers carrying banner ads.  But they do
> advertise elsewhere using third parties who track back the performance of
> those ads to university sites by pixeling their pages.  And third party
> analytics code is quite common place on university sites.
> 
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org] 
> Sent: Saturday, February 18, 2012 6:16 PM
> To: public-tracking@w3.org; Ninja Marnau
> Cc: Roy T. Fielding
> Subject: Re: ACTION-110: Write proposal text for what it means to "not
> track" (ISSUE-119)
> 
> Roy, Ninja, 
> 
> looks like we have two very good proposals on the table. Just to also give
> my recollection from the Brussels meeting: Matthias was complaining about
> the small websites, but also about the Universities that will not do big DNT
> implementation efforts. But they are not tracking either. How do we deal
> with it. Ninja took a first (restrictive) suggestion. Roy toned down a bit
> (I think we have too much misunderstandable EU data protection jargon in
> Ninja's proposal). 
> 
> Can you both be clear on: 
> 
> 1/ Log data (which data for how long?)
> 
> 2/ Cookie data (session cookies are not in scope anyway, right?)
> 
> And can we please stop the confusion of this case with the DNT case for the
> professionals? Only because there are  sites that do not participate in the
> advertisement model (aka Universities) we should not disregard them in our
> solution. And if you really fear that having "normal University sites
> indicating that they do not track" is conveying a bad message on our normal
> DNT specification, than this may be seen as a confession that the industry
> doesn't trust the effectiveness of their own suggestions and that they want
> to re-think their suggestions. But I believe this would be a dead-end
> discussion, especially as I think all the alleged harm is not intended. 
> 
> This said, I agree with Aleecia and Roy that we should be careful about the
> concrete wording. "not-tracking" and "really-not-tracking" looks like a bad
> option. Somebody will ultimately come up with a "really-really-really-not-
> tracking-fingers-crossed". So I share Roy's concern, but I don't think Ninja
> intended that effect. I remind you that we are in an international context
> here with non-native speakers.
> 
> Best, 
> 
> Rigo
> 
> On Monday 13 February 2012 15:04:24 Roy T. Fielding wrote:
>> A party may claim that it is not tracking if
>> 
>> 1) the party does not retain data from requests in a form that might 
>> identify a user except as necessary to fulfill that user's intention 
>> (e.g., credit card billing data is necessary if the user is making a 
>> purchase) or for the limited purposes of access security, fraud 
>> prevention, or audit controls;
>> 
>> 2) when user-identifying data is retained for purposes other than to 
>> fulfill the user's intention, the party maintains strict 
>> confidentiality of that data and only retains that data for a limited 
>> duration that is no longer than is necessary to accomplish that 
>> purpose, thereafter destroying or otherwise clearing the 
>> user-identifying data; and,
>> 
>> 3) the party does not combine or correlate collected user-identifying 
>> data with any other data obtained from prior requests, 
>> user-identifying profiles, or data obtained from third parties unless 
>> specifically directed to do so by the user (e.g., when a user 
>> initiates a login request) or for the limited purposes of inspection 
>> for access security, fraud prevention, or audit controls.
> 
> 
> 
>

Received on Sunday, 19 February 2012 17:49:36 UTC