- From: David Wainberg <dwainberg@appnexus.com>
- Date: Tue, 17 Jan 2012 11:22:17 -0500
- To: David Singer <singer@apple.com>
- CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Kevin circulated some great materials and discussion on this back in December: http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0051.html and http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0127.html. But I'm happy to take a stab at explaining how I see it. In defining 1st vs 3rd, and saying DNT doesn't, for the most part, apply to 1st parties, are we saying that 1st parties have an exception to engage in [cross-site] tracking, or are we saying 1st party data collection, by definition, is not [cross-site] tracking? There seems to be, if not consensus, at least widespread agreement that the concern of this standard (the "Do Not" of DNT) is something along the lines of the collection and accumulation of data about internet users' web browsing history across (unrelated | unaffiliated | non-commonly branded | ??) websites. I don't think we mean that 1st parties are free to engage in [cross-site] tracking, but rather that once it's cross-site, it's no longer 1st party. There may be parties who have consent to track across sites by virtue of their 1st party relationship with the user, but is there such a thing as 1st party cross-site tracking? Let's assume we can acheive a defition of cross-site tracking, do you imagine 1st and 3rd parties would be treated differently under the standard? I don't imagine so, though 1st parties will have different opportunities for acquiring users' consent. One might then think that the 1st/3rd party distinction and "cross-site" are equivalent. But I would argue they're not, for at least the following. First, defining cross-site tracking is closer to the problem we're trying to solve, and that's generally a good thing. By tailoring our definitions to the actual problems we are trying to solve, we reduce the risk of being overinclusive, creating ambiguity, or creating unintended consequences. Additionally, although we will still need to define cross-site tracking, I think that's an easier problem to solve and will be easier for all parties to implement. Parties can be lots of things. It's impossible to account for all the different relationships between parties and users, and parties and parties, and so on. Cross-site tracking data is a much more constrained set, so will be that much easier to put a definition around. By taking the cross-site approach, DNT becomes as simple as: 1. Cross-site tracking = X 2. If DNT == 1, X may not be done, except: a. with consent; or b. for these purposes: [...] Some of the benefits: - Relies simply on a clear definition of the data collection and use practices DNT is concerned with, rather than a multi-step process of determining party status and then covered collection and use. - Removes the step of determining 1st vs 3rd party status in any given circumstance, and then possibly having separate compliance paths for each. - Saves us from defining 1st vs 3rd parties, and thus eliminates having to deal with edge cases like widgets and URL shorteners. - Solves the 3rd party as agent problem: if it's not cross-site, it's not covered. On 1/13/12 5:41 PM, David Singer wrote: > In reading a separate thread, I realized that there is a potential issue here over DNT:0. > > A little while back we discussed whether the UA should send a DNT header to the first party. A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example. > > This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others. > > So what, then, does the first party get? DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0? An average of the DNT values :-) DNT:0.7 ??! > > Am I, as a UA, allowed to mix non-DNT requests into the mix? > > > David Singer > Multimedia and Software Standards, Apple Inc. > >
Received on Tuesday, 17 January 2012 16:22:42 UTC