- From: David Wainberg <dwainberg@appnexus.com>
- Date: Tue, 17 Jan 2012 11:22:17 -0500
- To: David Singer <singer@apple.com>
- CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Kevin circulated some great materials and discussion on this back in
December:
http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0051.html
and http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0127.html.
But I'm happy to take a stab at explaining how I see it.
In defining 1st vs 3rd, and saying DNT doesn't, for the most part, apply
to 1st parties, are we saying that 1st parties have an exception to
engage in [cross-site] tracking, or are we saying 1st party data
collection, by definition, is not [cross-site] tracking? There seems to
be, if not consensus, at least widespread agreement that the concern of
this standard (the "Do Not" of DNT) is something along the lines of the
collection and accumulation of data about internet users' web browsing
history across (unrelated | unaffiliated | non-commonly branded | ??)
websites. I don't think we mean that 1st parties are free to engage in
[cross-site] tracking, but rather that once it's cross-site, it's no
longer 1st party. There may be parties who have consent to track across
sites by virtue of their 1st party relationship with the user, but is
there such a thing as 1st party cross-site tracking? Let's assume we can
acheive a defition of cross-site tracking, do you imagine 1st and 3rd
parties would be treated differently under the standard? I don't imagine
so, though 1st parties will have different opportunities for acquiring
users' consent.
One might then think that the 1st/3rd party distinction and "cross-site"
are equivalent. But I would argue they're not, for at least the
following. First, defining cross-site tracking is closer to the problem
we're trying to solve, and that's generally a good thing. By tailoring
our definitions to the actual problems we are trying to solve, we reduce
the risk of being overinclusive, creating ambiguity, or creating
unintended consequences.
Additionally, although we will still need to define cross-site tracking,
I think that's an easier problem to solve and will be easier for all
parties to implement. Parties can be lots of things. It's impossible to
account for all the different relationships between parties and users,
and parties and parties, and so on. Cross-site tracking data is a much
more constrained set, so will be that much easier to put a definition
around.
By taking the cross-site approach, DNT becomes as simple as:
1. Cross-site tracking = X
2. If DNT == 1, X may not be done, except:
a. with consent; or
b. for these purposes: [...]
Some of the benefits:
- Relies simply on a clear definition of the data collection and use
practices DNT is concerned with, rather than a multi-step process of
determining party status and then covered collection and use.
- Removes the step of determining 1st vs 3rd party status in any given
circumstance, and then possibly having separate compliance paths for each.
- Saves us from defining 1st vs 3rd parties, and thus eliminates having
to deal with edge cases like widgets and URL shorteners.
- Solves the 3rd party as agent problem: if it's not cross-site, it's
not covered.
On 1/13/12 5:41 PM, David Singer wrote:
> In reading a separate thread, I realized that there is a potential issue here over DNT:0.
>
> A little while back we discussed whether the UA should send a DNT header to the first party. A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example.
>
> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others.
>
> So what, then, does the first party get? DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0? An average of the DNT values :-) DNT:0.7 ??!
>
> Am I, as a UA, allowed to mix non-DNT requests into the mix?
>
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
Received on Tuesday, 17 January 2012 16:22:42 UTC