W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: diff of TPE editing since the FPWD

From: Jeffrey Chester <jeff@democraticmedia.org>
Date: Thu, 12 Jan 2012 12:36:02 -0500
Cc: Ed Felten <ed@felten.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-id: <973112ED-485A-43F0-87FB-3793C5A81FD5@democraticmedia.org>
To: Shane Wiley <wileys@yahoo-inc.com>
I look forward to the discussion in Brussels.  I was at the meeting organized by the World Privacy Forum about five years ago where the "Do Not Track" system was initially proposed by Pam Dixon (and where it began as a policy issue, soon formally presented at the FTC and elsewhere).  The concern was overall tracking, on First and Third party sites.  Such tracking is still the core of the overall privacy and consumer protection concerns (although I recognize for the W3C process it has been [narrowly] focused on so-called Third parties. 

I don't believe cross track gets to the essence of the tracking paradigm, which includes retargeting;  data (offline and online) collected and integrated across multiple platforms throughvarious data-enabled marketing applications, etc.  But I am sure we can arrive at reasonable definition.


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org
www.digitalads.org
202-986-2220

On Jan 12, 2012, at 12:23 PM, Shane Wiley wrote:

> Ed,
> 
> As you've pointed out (and I similarly called out later in the chain) there will be a need to define terms and exceptions in either direction.  That said, there are optic, related assumptions, and a starting point for understanding to consider - and with those in mind, "cross-site tracking" appears to be the better place to begin the conversation from (and was the genesis of the DNT debate/discussion and this working group).
> 
> - Shane
> 
> -----Original Message-----
> From: Ed Felten [mailto:ed@felten.com] 
> Sent: Thursday, January 12, 2012 7:49 AM
> To: public-tracking@w3.org
> Subject: Re: diff of TPE editing since the FPWD
> 
> Is this "cross-site" discussion a debate about substance, or only
> about terminology?
> 
> We're looking at two approaches.  In one approach we essentially say
> "no third-party tracking," and then we very carefully define what
> "third-party" means.  In the other approach we say "no cross-site
> tracking," and then we very carefully define what "cross-site" means.
> In both cases we have to specify what constitutes the same
> party/site.  In both cases we will presumably create the obvious set
> of exceptions.
> 
> It could be--and please help me understand whether this is true--that
> we will end up writing a standard that allows and disallows the same
> things, regardless of which approach we take.  Or is there a
> substantive disagreement lurking beneath the terminology?
> 
> To be clear, I don't mean to suggest that terminology doesn't matter,
> nor that we shouldn't discuss terminology.  I'm just saying that it's
> good to be clear about what is and isn't at stake in this part of the
> discussion.
> 
> On Thu, Jan 12, 2012 at 1:07 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
>> I believe cross-site tracking more accurately describes the intended goal of
>> the working group so would suggest this remain in the document "as is".  In
>> either direction we'll still need to elaborate as to what is and is not
>> cross-site tracking and this can be done with party position definitions and
>> business rules.  As MOST of the use cases imagined are cross-site centric,
>> this is the logical place to start from and articulate exceptions from this
>> pivot point.
>> 
>> 
>> 
>> - Shane
>> 
>> 
>> 
>> From: Kevin Smith [mailto:kevsmith@adobe.com]
>> Sent: Thursday, January 12, 2012 12:38 AM
>> To: Jonathan Mayer; Sean Harvey
>> Cc: Rigo Wenning; Jeffrey Chester; public-tracking@w3.org; Roy T. Fielding
>> Subject: RE: diff of TPE editing since the FPWD
>> 
>> 
>> 
>> I agree with Sean that cross-site tracking carries far less ambiguity than
>> 1st vs 3rd parties and is probably a simpler approach to solving the same
>> problem of preventing cross-site tracking.
>> 
>> 
>> 
>> Jonathan wrote:
>> 
>>> I view it as a *positive* sign that our current approach has surfaced
>>> issues of outsourcing and backend sharing - that means we're moving past
>>> linguistic hijinks and debating actual substance.
>> 
>> 
>> 
>> From a cross-tracking based conversation, outsourcing is far less relevant,
>> and back-end sharing is a more obvious concern, being one of the primary
>> methods of cross-site data sharing.  So I actually think this is an example
>> of how the conversations become easier and more straightforward when
>> focusing on cross-tracking.
>> 
>> 
>> 
>> Jonathan Said:
>> 
>>> Kevin proposed a definition of "Do Not Cross Track" within the ambit of
>>> ISSUE-5 ("What is the definition of tracking?").  The discussion that
>>> followed was vague, confused, and unhelpful.
>> 
>> 
>> 
>> I actually got a very positive response and strong agreement from several
>> group members, but very little traction or discussion from the group as a
>> whole.  I look forward to raising the question in Belgium where hopefully
>> the face to face interaction can help me understand objections or answer
>> concerns more easily.
>> 
>> 
>> 
>> Rigo said:
>> 
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>> 
>> 
>> 
>> A 1st party would participate in cross-site tracking by using data collected
>> on its site/properties on an unrelated site (without getting into the
>> domain/affiliate discussion here), or by giving the data to someone else to
>> use on an unrelated site such as selling it to a dsp.  A 1st party may also
>> be in violation by acquiring data from a 3rd party (such as a Blue Kai) for
>> use on its site (such as product targeting or personalization).
>> 
>> 
>> 
>> You are right though in that it does not make sense to define DNT both in
>> terms of parties and cross-site tracking.  At our first f2f, it seemed to me
>> that we largely agreed that providing a mechanism to prevent cross-site
>> tracking and targeting was our primary objective.  The first suggested
>> approach to defining this was to exempt 1st parties (for the most part),
>> prohibit 3rd parties (for the most part), and then work on defining the gray
>> areas.  Or in other words, define cross-site tracking in terms of what 3rd
>> parties do with our data.  This idea caught on so quickly that we never
>> really examined other approaches, and to be honest, it made a lot of sense
>> to me at the time as well.  The unfortunate result however, was that parties
>> became more and more difficult to enumerate, define and separate.  Before
>> long, the party question had hijacked nearly all conversations and we were
>> no longer focusing on DNT but rather on party definition.
>> 
>> 
>> 
>> So I think its time to revisit the original problem of preventing cross site
>> tracking, but try using a contextual definition rather than a party based
>> definition.  Much of our work will translate over perfectly, so I do not
>> think we will lose much time.  In fact, I think we will actually shorten the
>> remaining effort substantially by removing the party complexities and
>> ambiguities.
>> 
>> 
>> 
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, January 11, 2012 4:16 PM
>> To: Sean Harvey
>> Cc: Rigo Wenning; Kevin Smith; Jeffrey Chester; public-tracking@w3.org; Roy
>> T. Fielding
>> Subject: Re: diff of TPE editing since the FPWD
>> 
>> 
>> 
>> 
>> 
>> On Jan 11, 2012, at 2:41 PM, Sean Harvey wrote:
>> 
>> 
>> 
>> As I step back and think about it for a moment I feel that the potential
>> ambiguities around the definition of "cross site tracking" might be less
>> intractable than those around "first and third party" which is where we've
>> gotten into a tangle over the past weeks.
>> 
>> 
>> 
>> Among the many complexities that we've encountered in this respect are that
>> third party domains are often merely software tool used by first parties,
>> and that first parties have to be restricted from sharing their data with
>> third parties. All of this is addressed & defined more cleanly in a "cross
>> site tracking" paradigm. A good "cross site" definition could simplify
>> things greatly, close potential loopholes for first parties and build
>> greater consensus.
>> 
>> 
>> 
>> I don't believe a renewed focus on "cross-site tracking" would be
>> productive.  The phrase introduces the ambiguities I noted below and
>> unnecessarily conflates the independent questions of which roles are covered
>> (currently framed as first party vs. third party) and what actors in those
>> roles may or may not do (currently framed as, for third parties, a blanket
>> bar + exceptions).  I view it as a *positive* sign that our current approach
>> has surfaced issues of outsourcing and backend sharing - that means we're
>> moving past linguistic hijinks and debating actual substance.
>> 
>> 
>> 
>> Setting aside those objections, this approach has been tried without
>> success.  Kevin proposed a definition of "Do Not Cross Track" within the
>> ambit of ISSUE-5 ("What is the definition of tracking?").  The discussion
>> that followed was vague, confused, and unhelpful.
>> 
>> 
>> 
>> Correct me if i'm wrong, but I believe the consensus of the group early on
>> was to focus on cross-site tracking; part of the problem in definitions
>> seems to be that we aren't being clear about that.
>> 
>> 
>> 
>> Much of this standardization process has involved stakeholders developing a
>> more precise understanding of the issues in play.  (Look no further than the
>> issue tracker, which is a virtual graveyard of old generalities replaced by
>> newer specifics.)  There was certainly consensus fairly early that the
>> standard would include some distinction like "first party vs. third party"
>> or "cross-site"  - but I don't believe the group was sophisticated enough at
>> that point to agree on details.  In fact, we're just now working out the
>> specifics.
>> 
>> 
>> 
>> On Wed, Jan 11, 2012 at 4:37 PM, Jonathan Mayer <jmayer@stanford.edu> wrote:
>> 
>> I think there's a language ambiguity here.  Some consider "cross-site
>> tracking" to be about correlating user actions on unrelated websites.
>>  Others consider "cross-site tracking" to be about information practices by
>> third-party websites.  In light of the ambiguity, I'd support dropping the
>> term from the Preference Expression document and replacing it with something
>> more neutral.
>> 
>> Moreover, at a higher level, I don't think compliance policy questions
>> belong in that document.  Preference Expression should be a technical
>> vehicle for whatever Compliance and Scope specifies - no more and no less.
>>  I would support clarifying that principle in the documents and trimming the
>> lengthy policy-based introduction from the Preference Expression document.
>> 
>> I am very sensitive to Roy's and Kevin's concern that the group not move
>> away from its consensus that this standard will impose (almost) no limits on
>> first-party conduct.  I believe the current proposals for Compliance and
>> Scope accurately reflect that consensus.  To the extent they don't,  debate
>> should be held in the context of that document, not surrounding an ambiguous
>> turn of phrase elsewhere.
>> 
>> Jonathan
>> 
>> 
>> On Jan 11, 2012, at 11:46 AM, Rigo Wenning wrote:
>> 
>>> Kevin,
>>> 
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>>> 
>>> Rigo
>>> 
>>> On Wednesday 11 January 2012 11:13:08 Kevin Smith wrote:
>>>> Actually, at least in the early meetings, I believe we had near consensus
>>>> that the objective of this working group would be focused around
>>>> cross-site
>>>> tracking (despite a somewhat confusing name of DNT).  Most of the current
>>>> issues and discussions are reflective of this direction - such as
>>>> defining
>>>> affiliates, 1st vs 3rd parties, and exceptions to when cross-site
>>>> tracking
>>>> are permissible such as rate frequency capping.
>>>> 
>>>> If that is still true, I think it's imperative to have it spelled out as
>>>> Roy
>>>> has done in the doc to avoid as much confusion as possible.
>>> 
>> 
>> 
>> 
>> 
>> 
>> --
>> Sean Harvey
>> Business Product Manager
>> Google, Inc.
>> 212-381-5330
>> sharvey@google.com
>> 
>> 
> 
> 
> 
Received on Thursday, 12 January 2012 17:36:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:43 UTC