- From: David Singer <singer@apple.com>
- Date: Thu, 12 Jan 2012 10:26:35 -0800
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: Ed Felten <ed@felten.com>, "public-tracking@w3.org" <public-tracking@w3.org>
My problems with the term 'cross-site' are two-fold: a) I think users are asking "don't track me" and they will see "don't cross-site track me" as restricting some, but not nearly all, of what they worry about. b) I think some sites will break the formal rules but claim that what they are doing is not "cross-site" and so is allowed. We could argue in both cases that they should read the document and the definitions and rules, but in both cases I fear the damage is done before that. This is behind some of the (slightly emotional) resistance to what could be, after all, merely a terminology question. This is assuming we agree on a definition, of course, of what we're restricting…maybe then we'll be able to decide what label to give it. There seems to be some 'emotional' resistance the other way; can anyone explain it? On Jan 12, 2012, at 9:23 , Shane Wiley wrote: > Ed, > > As you've pointed out (and I similarly called out later in the chain) there will be a need to define terms and exceptions in either direction. That said, there are optic, related assumptions, and a starting point for understanding to consider - and with those in mind, "cross-site tracking" appears to be the better place to begin the conversation from (and was the genesis of the DNT debate/discussion and this working group). > > - Shane > > -----Original Message----- > From: Ed Felten [mailto:ed@felten.com] > Sent: Thursday, January 12, 2012 7:49 AM > To: public-tracking@w3.org > Subject: Re: diff of TPE editing since the FPWD > > Is this "cross-site" discussion a debate about substance, or only > about terminology? > > We're looking at two approaches. In one approach we essentially say > "no third-party tracking," and then we very carefully define what > "third-party" means. In the other approach we say "no cross-site > tracking," and then we very carefully define what "cross-site" means. > In both cases we have to specify what constitutes the same > party/site. In both cases we will presumably create the obvious set > of exceptions. > > It could be--and please help me understand whether this is true--that > we will end up writing a standard that allows and disallows the same > things, regardless of which approach we take. Or is there a > substantive disagreement lurking beneath the terminology? > > To be clear, I don't mean to suggest that terminology doesn't matter, > nor that we shouldn't discuss terminology. I'm just saying that it's > good to be clear about what is and isn't at stake in this part of the > discussion. > > On Thu, Jan 12, 2012 at 1:07 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: >> I believe cross-site tracking more accurately describes the intended goal of >> the working group so would suggest this remain in the document "as is". In >> either direction we'll still need to elaborate as to what is and is not >> cross-site tracking and this can be done with party position definitions and >> business rules. As MOST of the use cases imagined are cross-site centric, >> this is the logical place to start from and articulate exceptions from this >> pivot point. >> >> >> >> - Shane >> >> >> >> From: Kevin Smith [mailto:kevsmith@adobe.com] >> Sent: Thursday, January 12, 2012 12:38 AM >> To: Jonathan Mayer; Sean Harvey >> Cc: Rigo Wenning; Jeffrey Chester; public-tracking@w3.org; Roy T. Fielding >> Subject: RE: diff of TPE editing since the FPWD >> >> >> >> I agree with Sean that cross-site tracking carries far less ambiguity than >> 1st vs 3rd parties and is probably a simpler approach to solving the same >> problem of preventing cross-site tracking. >> >> >> >> Jonathan wrote: >> >>> I view it as a *positive* sign that our current approach has surfaced >>> issues of outsourcing and backend sharing - that means we're moving past >>> linguistic hijinks and debating actual substance. >> >> >> >> From a cross-tracking based conversation, outsourcing is far less relevant, >> and back-end sharing is a more obvious concern, being one of the primary >> methods of cross-site data sharing. So I actually think this is an example >> of how the conversations become easier and more straightforward when >> focusing on cross-tracking. >> >> >> >> Jonathan Said: >> >>> Kevin proposed a definition of "Do Not Cross Track" within the ambit of >>> ISSUE-5 ("What is the definition of tracking?"). The discussion that >>> followed was vague, confused, and unhelpful. >> >> >> >> I actually got a very positive response and strong agreement from several >> group members, but very little traction or discussion from the group as a >> whole. I look forward to raising the question in Belgium where hopefully >> the face to face interaction can help me understand objections or answer >> concerns more easily. >> >> >> >> Rigo said: >> >>> can you explain cross-site tracking by first parties to me? I just point >>> out >>> the logic break here. Either we talk about first vs third parties or we >>> solely >>> scope the entire exercise and scope to "cross-site tracking". >> >> >> >> A 1st party would participate in cross-site tracking by using data collected >> on its site/properties on an unrelated site (without getting into the >> domain/affiliate discussion here), or by giving the data to someone else to >> use on an unrelated site such as selling it to a dsp. A 1st party may also >> be in violation by acquiring data from a 3rd party (such as a Blue Kai) for >> use on its site (such as product targeting or personalization). >> >> >> >> You are right though in that it does not make sense to define DNT both in >> terms of parties and cross-site tracking. At our first f2f, it seemed to me >> that we largely agreed that providing a mechanism to prevent cross-site >> tracking and targeting was our primary objective. The first suggested >> approach to defining this was to exempt 1st parties (for the most part), >> prohibit 3rd parties (for the most part), and then work on defining the gray >> areas. Or in other words, define cross-site tracking in terms of what 3rd >> parties do with our data. This idea caught on so quickly that we never >> really examined other approaches, and to be honest, it made a lot of sense >> to me at the time as well. The unfortunate result however, was that parties >> became more and more difficult to enumerate, define and separate. Before >> long, the party question had hijacked nearly all conversations and we were >> no longer focusing on DNT but rather on party definition. >> >> >> >> So I think its time to revisit the original problem of preventing cross site >> tracking, but try using a contextual definition rather than a party based >> definition. Much of our work will translate over perfectly, so I do not >> think we will lose much time. In fact, I think we will actually shorten the >> remaining effort substantially by removing the party complexities and >> ambiguities. >> >> >> >> From: Jonathan Mayer [mailto:jmayer@stanford.edu] >> Sent: Wednesday, January 11, 2012 4:16 PM >> To: Sean Harvey >> Cc: Rigo Wenning; Kevin Smith; Jeffrey Chester; public-tracking@w3.org; Roy >> T. Fielding >> Subject: Re: diff of TPE editing since the FPWD >> >> >> >> >> >> On Jan 11, 2012, at 2:41 PM, Sean Harvey wrote: >> >> >> >> As I step back and think about it for a moment I feel that the potential >> ambiguities around the definition of "cross site tracking" might be less >> intractable than those around "first and third party" which is where we've >> gotten into a tangle over the past weeks. >> >> >> >> Among the many complexities that we've encountered in this respect are that >> third party domains are often merely software tool used by first parties, >> and that first parties have to be restricted from sharing their data with >> third parties. All of this is addressed & defined more cleanly in a "cross >> site tracking" paradigm. A good "cross site" definition could simplify >> things greatly, close potential loopholes for first parties and build >> greater consensus. >> >> >> >> I don't believe a renewed focus on "cross-site tracking" would be >> productive. The phrase introduces the ambiguities I noted below and >> unnecessarily conflates the independent questions of which roles are covered >> (currently framed as first party vs. third party) and what actors in those >> roles may or may not do (currently framed as, for third parties, a blanket >> bar + exceptions). I view it as a *positive* sign that our current approach >> has surfaced issues of outsourcing and backend sharing - that means we're >> moving past linguistic hijinks and debating actual substance. >> >> >> >> Setting aside those objections, this approach has been tried without >> success. Kevin proposed a definition of "Do Not Cross Track" within the >> ambit of ISSUE-5 ("What is the definition of tracking?"). The discussion >> that followed was vague, confused, and unhelpful. >> >> >> >> Correct me if i'm wrong, but I believe the consensus of the group early on >> was to focus on cross-site tracking; part of the problem in definitions >> seems to be that we aren't being clear about that. >> >> >> >> Much of this standardization process has involved stakeholders developing a >> more precise understanding of the issues in play. (Look no further than the >> issue tracker, which is a virtual graveyard of old generalities replaced by >> newer specifics.) There was certainly consensus fairly early that the >> standard would include some distinction like "first party vs. third party" >> or "cross-site" - but I don't believe the group was sophisticated enough at >> that point to agree on details. In fact, we're just now working out the >> specifics. >> >> >> >> On Wed, Jan 11, 2012 at 4:37 PM, Jonathan Mayer <jmayer@stanford.edu> wrote: >> >> I think there's a language ambiguity here. Some consider "cross-site >> tracking" to be about correlating user actions on unrelated websites. >> Others consider "cross-site tracking" to be about information practices by >> third-party websites. In light of the ambiguity, I'd support dropping the >> term from the Preference Expression document and replacing it with something >> more neutral. >> >> Moreover, at a higher level, I don't think compliance policy questions >> belong in that document. Preference Expression should be a technical >> vehicle for whatever Compliance and Scope specifies - no more and no less. >> I would support clarifying that principle in the documents and trimming the >> lengthy policy-based introduction from the Preference Expression document. >> >> I am very sensitive to Roy's and Kevin's concern that the group not move >> away from its consensus that this standard will impose (almost) no limits on >> first-party conduct. I believe the current proposals for Compliance and >> Scope accurately reflect that consensus. To the extent they don't, debate >> should be held in the context of that document, not surrounding an ambiguous >> turn of phrase elsewhere. >> >> Jonathan >> >> >> On Jan 11, 2012, at 11:46 AM, Rigo Wenning wrote: >> >>> Kevin, >>> >>> can you explain cross-site tracking by first parties to me? I just point >>> out >>> the logic break here. Either we talk about first vs third parties or we >>> solely >>> scope the entire exercise and scope to "cross-site tracking". >>> >>> Rigo >>> >>> On Wednesday 11 January 2012 11:13:08 Kevin Smith wrote: >>>> Actually, at least in the early meetings, I believe we had near consensus >>>> that the objective of this working group would be focused around >>>> cross-site >>>> tracking (despite a somewhat confusing name of DNT). Most of the current >>>> issues and discussions are reflective of this direction - such as >>>> defining >>>> affiliates, 1st vs 3rd parties, and exceptions to when cross-site >>>> tracking >>>> are permissible such as rate frequency capping. >>>> >>>> If that is still true, I think it's imperative to have it spelled out as >>>> Roy >>>> has done in the doc to avoid as much confusion as possible. >>> >> >> >> >> >> >> -- >> Sean Harvey >> Business Product Manager >> Google, Inc. >> 212-381-5330 >> sharvey@google.com >> >> > > David Singer Multimedia and Software Standards, Apple Inc.
Received on Friday, 13 January 2012 03:41:58 UTC