Re: diff of TPE editing since the FPWD

My problems with the term 'cross-site' are two-fold:

a) I think users are asking "don't track me" and they will see "don't cross-site track me" as restricting some, but not nearly all, of what they worry about.
b) I think some sites will break the formal rules but claim that what they are doing is not "cross-site" and so is allowed.

We could argue in both cases that they should read the document and the definitions and rules, but in both cases I fear the damage is done before that. This is behind some of the (slightly emotional) resistance to what could be, after all, merely a terminology question.

This is assuming we agree on a definition, of course, of what we're restricting…maybe then we'll be able to decide what label to give it.

There seems to be some 'emotional' resistance the other way; can anyone explain it?



On Jan 12, 2012, at 9:23 , Shane Wiley wrote:

> Ed,
> 
> As you've pointed out (and I similarly called out later in the chain) there will be a need to define terms and exceptions in either direction.  That said, there are optic, related assumptions, and a starting point for understanding to consider - and with those in mind, "cross-site tracking" appears to be the better place to begin the conversation from (and was the genesis of the DNT debate/discussion and this working group).
> 
> - Shane
> 
> -----Original Message-----
> From: Ed Felten [mailto:ed@felten.com] 
> Sent: Thursday, January 12, 2012 7:49 AM
> To: public-tracking@w3.org
> Subject: Re: diff of TPE editing since the FPWD
> 
> Is this "cross-site" discussion a debate about substance, or only
> about terminology?
> 
> We're looking at two approaches.  In one approach we essentially say
> "no third-party tracking," and then we very carefully define what
> "third-party" means.  In the other approach we say "no cross-site
> tracking," and then we very carefully define what "cross-site" means.
> In both cases we have to specify what constitutes the same
> party/site.  In both cases we will presumably create the obvious set
> of exceptions.
> 
> It could be--and please help me understand whether this is true--that
> we will end up writing a standard that allows and disallows the same
> things, regardless of which approach we take.  Or is there a
> substantive disagreement lurking beneath the terminology?
> 
> To be clear, I don't mean to suggest that terminology doesn't matter,
> nor that we shouldn't discuss terminology.  I'm just saying that it's
> good to be clear about what is and isn't at stake in this part of the
> discussion.
> 
> On Thu, Jan 12, 2012 at 1:07 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
>> I believe cross-site tracking more accurately describes the intended goal of
>> the working group so would suggest this remain in the document "as is".  In
>> either direction we'll still need to elaborate as to what is and is not
>> cross-site tracking and this can be done with party position definitions and
>> business rules.  As MOST of the use cases imagined are cross-site centric,
>> this is the logical place to start from and articulate exceptions from this
>> pivot point.
>> 
>> 
>> 
>> - Shane
>> 
>> 
>> 
>> From: Kevin Smith [mailto:kevsmith@adobe.com]
>> Sent: Thursday, January 12, 2012 12:38 AM
>> To: Jonathan Mayer; Sean Harvey
>> Cc: Rigo Wenning; Jeffrey Chester; public-tracking@w3.org; Roy T. Fielding
>> Subject: RE: diff of TPE editing since the FPWD
>> 
>> 
>> 
>> I agree with Sean that cross-site tracking carries far less ambiguity than
>> 1st vs 3rd parties and is probably a simpler approach to solving the same
>> problem of preventing cross-site tracking.
>> 
>> 
>> 
>> Jonathan wrote:
>> 
>>> I view it as a *positive* sign that our current approach has surfaced
>>> issues of outsourcing and backend sharing - that means we're moving past
>>> linguistic hijinks and debating actual substance.
>> 
>> 
>> 
>> From a cross-tracking based conversation, outsourcing is far less relevant,
>> and back-end sharing is a more obvious concern, being one of the primary
>> methods of cross-site data sharing.  So I actually think this is an example
>> of how the conversations become easier and more straightforward when
>> focusing on cross-tracking.
>> 
>> 
>> 
>> Jonathan Said:
>> 
>>> Kevin proposed a definition of "Do Not Cross Track" within the ambit of
>>> ISSUE-5 ("What is the definition of tracking?").  The discussion that
>>> followed was vague, confused, and unhelpful.
>> 
>> 
>> 
>> I actually got a very positive response and strong agreement from several
>> group members, but very little traction or discussion from the group as a
>> whole.  I look forward to raising the question in Belgium where hopefully
>> the face to face interaction can help me understand objections or answer
>> concerns more easily.
>> 
>> 
>> 
>> Rigo said:
>> 
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>> 
>> 
>> 
>> A 1st party would participate in cross-site tracking by using data collected
>> on its site/properties on an unrelated site (without getting into the
>> domain/affiliate discussion here), or by giving the data to someone else to
>> use on an unrelated site such as selling it to a dsp.  A 1st party may also
>> be in violation by acquiring data from a 3rd party (such as a Blue Kai) for
>> use on its site (such as product targeting or personalization).
>> 
>> 
>> 
>> You are right though in that it does not make sense to define DNT both in
>> terms of parties and cross-site tracking.  At our first f2f, it seemed to me
>> that we largely agreed that providing a mechanism to prevent cross-site
>> tracking and targeting was our primary objective.  The first suggested
>> approach to defining this was to exempt 1st parties (for the most part),
>> prohibit 3rd parties (for the most part), and then work on defining the gray
>> areas.  Or in other words, define cross-site tracking in terms of what 3rd
>> parties do with our data.  This idea caught on so quickly that we never
>> really examined other approaches, and to be honest, it made a lot of sense
>> to me at the time as well.  The unfortunate result however, was that parties
>> became more and more difficult to enumerate, define and separate.  Before
>> long, the party question had hijacked nearly all conversations and we were
>> no longer focusing on DNT but rather on party definition.
>> 
>> 
>> 
>> So I think its time to revisit the original problem of preventing cross site
>> tracking, but try using a contextual definition rather than a party based
>> definition.  Much of our work will translate over perfectly, so I do not
>> think we will lose much time.  In fact, I think we will actually shorten the
>> remaining effort substantially by removing the party complexities and
>> ambiguities.
>> 
>> 
>> 
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, January 11, 2012 4:16 PM
>> To: Sean Harvey
>> Cc: Rigo Wenning; Kevin Smith; Jeffrey Chester; public-tracking@w3.org; Roy
>> T. Fielding
>> Subject: Re: diff of TPE editing since the FPWD
>> 
>> 
>> 
>> 
>> 
>> On Jan 11, 2012, at 2:41 PM, Sean Harvey wrote:
>> 
>> 
>> 
>> As I step back and think about it for a moment I feel that the potential
>> ambiguities around the definition of "cross site tracking" might be less
>> intractable than those around "first and third party" which is where we've
>> gotten into a tangle over the past weeks.
>> 
>> 
>> 
>> Among the many complexities that we've encountered in this respect are that
>> third party domains are often merely software tool used by first parties,
>> and that first parties have to be restricted from sharing their data with
>> third parties. All of this is addressed & defined more cleanly in a "cross
>> site tracking" paradigm. A good "cross site" definition could simplify
>> things greatly, close potential loopholes for first parties and build
>> greater consensus.
>> 
>> 
>> 
>> I don't believe a renewed focus on "cross-site tracking" would be
>> productive.  The phrase introduces the ambiguities I noted below and
>> unnecessarily conflates the independent questions of which roles are covered
>> (currently framed as first party vs. third party) and what actors in those
>> roles may or may not do (currently framed as, for third parties, a blanket
>> bar + exceptions).  I view it as a *positive* sign that our current approach
>> has surfaced issues of outsourcing and backend sharing - that means we're
>> moving past linguistic hijinks and debating actual substance.
>> 
>> 
>> 
>> Setting aside those objections, this approach has been tried without
>> success.  Kevin proposed a definition of "Do Not Cross Track" within the
>> ambit of ISSUE-5 ("What is the definition of tracking?").  The discussion
>> that followed was vague, confused, and unhelpful.
>> 
>> 
>> 
>> Correct me if i'm wrong, but I believe the consensus of the group early on
>> was to focus on cross-site tracking; part of the problem in definitions
>> seems to be that we aren't being clear about that.
>> 
>> 
>> 
>> Much of this standardization process has involved stakeholders developing a
>> more precise understanding of the issues in play.  (Look no further than the
>> issue tracker, which is a virtual graveyard of old generalities replaced by
>> newer specifics.)  There was certainly consensus fairly early that the
>> standard would include some distinction like "first party vs. third party"
>> or "cross-site"  - but I don't believe the group was sophisticated enough at
>> that point to agree on details.  In fact, we're just now working out the
>> specifics.
>> 
>> 
>> 
>> On Wed, Jan 11, 2012 at 4:37 PM, Jonathan Mayer <jmayer@stanford.edu> wrote:
>> 
>> I think there's a language ambiguity here.  Some consider "cross-site
>> tracking" to be about correlating user actions on unrelated websites.
>>  Others consider "cross-site tracking" to be about information practices by
>> third-party websites.  In light of the ambiguity, I'd support dropping the
>> term from the Preference Expression document and replacing it with something
>> more neutral.
>> 
>> Moreover, at a higher level, I don't think compliance policy questions
>> belong in that document.  Preference Expression should be a technical
>> vehicle for whatever Compliance and Scope specifies - no more and no less.
>>  I would support clarifying that principle in the documents and trimming the
>> lengthy policy-based introduction from the Preference Expression document.
>> 
>> I am very sensitive to Roy's and Kevin's concern that the group not move
>> away from its consensus that this standard will impose (almost) no limits on
>> first-party conduct.  I believe the current proposals for Compliance and
>> Scope accurately reflect that consensus.  To the extent they don't,  debate
>> should be held in the context of that document, not surrounding an ambiguous
>> turn of phrase elsewhere.
>> 
>> Jonathan
>> 
>> 
>> On Jan 11, 2012, at 11:46 AM, Rigo Wenning wrote:
>> 
>>> Kevin,
>>> 
>>> can you explain cross-site tracking by first parties to me? I just point
>>> out
>>> the logic break here. Either we talk about first vs third parties or we
>>> solely
>>> scope the entire exercise and scope to "cross-site tracking".
>>> 
>>> Rigo
>>> 
>>> On Wednesday 11 January 2012 11:13:08 Kevin Smith wrote:
>>>> Actually, at least in the early meetings, I believe we had near consensus
>>>> that the objective of this working group would be focused around
>>>> cross-site
>>>> tracking (despite a somewhat confusing name of DNT).  Most of the current
>>>> issues and discussions are reflective of this direction - such as
>>>> defining
>>>> affiliates, 1st vs 3rd parties, and exceptions to when cross-site
>>>> tracking
>>>> are permissible such as rate frequency capping.
>>>> 
>>>> If that is still true, I think it's imperative to have it spelled out as
>>>> Roy
>>>> has done in the doc to avoid as much confusion as possible.
>>> 
>> 
>> 
>> 
>> 
>> 
>> --
>> Sean Harvey
>> Business Product Manager
>> Google, Inc.
>> 212-381-5330
>> sharvey@google.com
>> 
>> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 13 January 2012 03:41:58 UTC