- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Wed, 4 Jan 2012 10:05:09 -0600
- To: Jeffrey Chester <jeff@democraticmedia.org>
- Cc: David Singer <singer@apple.com>, "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <0A0F34A5-B15B-4095-B6B1-3ACA749136F4@stanford.edu>
On Jan 4, 2012, at 9:38 AM, Jeffrey Chester wrote: > The proposal for Issue 23 potentially creates a scenario where a users intention for DNT could be undermined by allowing a "third party site...operate as a first party." A user who doesn't want to be tracked should not have to deal with such a proposed exemption. There was agreement in Cambridge (as I recall, my initial proposal drew chortles...) that there should be an outsourcing exception. In Santa Clara the working group developed some consensus on the precautions required by the exception. If you have new use cases for why we should reopen the issue, please share them. > Even if the specs as proposed applied, the use of outside tracking related data by a First Party without user consent is an insufficient safeguard. The working group has not yet addressed a possible exception for first parties or third parties bringing in previously-collected third-party data (termed by some as "appending"). That's a separate issue. > As for aggregate analytics, I agree such data is required. But we should discuss what signals are required to ensure such analytics are not used for profile based targeting/profile/network user sales. To build a user profile, a third party would have to use data that correlates user interactions. The draft text forbids that. > Best to all for the New Year. > > Jeff > > > Center for Digital Democracy > 1621 Connecticut Ave, NW, Suite 550 > Washington, DC 20009 > www.democraticmedia.org > www.digitalads.org > 202-986-2220 > > On Jan 3, 2012, at 6:18 PM, David Singer wrote: > >> Issue number: 23 >> >> >> >> Issue name: Possible exemption for analytics >> Suggested retitle: Possible exemption for outsourcing >> >> Issue URL: >> http://www.w3.org/2011/tracking-protection/track/issues/23 >> >> Section number in the FPWD: 3.4 Types of Tracking >> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer >> >> Specification: >> A third-party site may operate as a first-party site if all the following conditions hold: >> the data collection, retention, and use, complies with at least the requirements for first-parties; >> the data collected is available only to the first party, and the third party has no independent right to use the data; >> the third party makes commitments to adhere to this standard in a form that is legally enforceable (directly or indirectly) by the first party, individual users, and regulators; data retention by the third party must not survive the end of this legal enforceability; >> the third party undertakes reasonable technical precautions to prevent collecting data that could be correlated across first parties. >> >> Non-normative Discussion: >> The rationale for rule (2) is that we allow the third party to stand in the first party’s shoes – but go no further. The third party may not use the data it collects for “product improvement,” “aggregate analytics,” or any other purpose except to fulfill a request by a first party, where the results are shared only with the first party. >> >> Rule (3) allows for the possibility of more than one level of outsourcing. >> >> In rule (4), one component of reasonable technical precautions will often be using the same-origin policy to segregate information for each first-party customer. >> >> Note that any data collected by the third party that is used, or may be used, in any way by any party other than the first party, is subject to the requirements for third parties. >> >> Example: >> ExampleAnalytics collects analytic data for ExampleProducts Inc.. It operates a site under the DNS analytics.exampleproducts.com. It collects and analyzes data on visits to ExampleProducts, and provides that data solely to ExampleProducts, and does not access or use it itself. >> >> Text that possibly belongs in other sections: >> When the third party sends a response header, that header must indicate that that they are a third party and that they are operating under this exception. >> Note that a third party that operates under a domain name or other arrangement that makes it appear to the user as if they are the first party, or a part or affiliate of the first party, is nonetheless a third party and is subject to the requirements of this clause ("DNS masquerading"). >> >> >> >> Issue number: 34 >> Issue name: Possible exemption for aggregate analytics >> Suggested retitle: Possible exemption for unidentifiable data >> >> Issue URL: >> http://www.w3.org/2011/tracking-protection/track/issues/34 >> >> Section number in the FPWD: 3.4 Types of Tracking >> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer >> >> Specification: >> A third party may collect, retain, and use any information from a user or user agent that, with high probability, could not be used to: >> 1) identify or nearly identify a user or user agent; or >> 2) correlate the activities of a user or user agent across multiple network interactions. >> >> Examples: >> 1. A third-party advertising network records the fact that it displayed an ad. >> 2. A third-party analytics service counts the number of times a popular page was loaded. >> >> Non-Normative Discussion: >> This exception (like all exceptions) may not be combined with other exceptions unless specifically allowed. A third party acting within the outsourcing exception, for example, may not make independent use of the data it has collected even though the use involves unidentifiable data. A rule to the contrary would provide a perverse incentive for third parties to press all exceptions to the limit and then use the collected data within this exception. >> A potential ‘safe harbor’ under this clause could be to retain only aggregate counts, not per-transaction records. >> >> Text that possibly belongs elsewhere: >> Possible advances in de-anonymization that make previously non-identifiable data, identifiable, should be considered. >> [Maybe need an issue: whose problem is it when data from disparate sources, all but one of which are anonymous, is combined to achieve de-anonymization?] >> >> >> >> >
Received on Wednesday, 4 January 2012 16:05:59 UTC