- From: Sean Harvey <sharvey@google.com>
- Date: Wed, 18 Jan 2012 21:53:38 -0500
- To: David Singer <singer@apple.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAFy-vuc2xyOeohRcHwLwzs5EmehmhMOWMw2Vm8qcqzdgp9LHSQ@mail.gmail.com>
at a high level, i was not suggesting that third parties could continue to collect user data (or link it to previous data) in a DNT-on scenario. an advertiser for example is typically buying ad inventory across multiple websites, and any data they collect is thus cross-site. On Wed, Jan 18, 2012 at 8:01 PM, David Singer <singer@apple.com> wrote: > David, Kevin, thanks > > I read through this and some other background material. > > I share the unease about the difficulty of defining 1st and 3rd parties, > and would love to find a way to eliminate that distinction and apply > uniform rules. But, if I understand it correctly, what you and Kevin are > saying is not, I think, satisfactory. But I may mis-understand. Let me > work through it, in case I am off base. > > As I understand it, you're saying that > * the sites I visit can remember anything about the nature and content of > the visits I make to them (currently described as 1st party) > * the sites that those sites 'pull in' (3rd parties, in our current terms) > can remember > + NOT ONLY the fact that I pulled content from them, and that it was me > + BUT ALSO that it was because of visits to various other, ("1st party") > sites ('he visited cnn.com and we showed him a book ad; bbc.com and we > showed a soap ad') > > As far as I can tell, you seem to propose that the 3rd parties can collect > all the same data as today, with the sole exception that the records have > an extra tag on them -- whether they were collected under DNT or not -- and > that the records collected under DNT have to be segregated and not > correlated with the others. > > My problems are > * this is a usage restriction which is easily (accidentally or > deliberately) dropped. The correlation and aggregation could happen at any > time. > * I believe that 3rd parties remembering which 1st parties I chose to > visit is, prima facie, cross-site, and should be excluded, not permitted. > * this is very close to a previous idea, that DNT didn't control tracking > at all, just the presentation of behavioral advertising; the same database > was being built, just the symptoms hidden from the users. > > Now, I may have misunderstood. But if I haven't, this doesn't address my > concern as a consumer: I do not want organizations I did not choose to > interact with, and whose very identity is usually hidden from me, building > databases about me. That's tracking. I don't think this meets "treat me as > someone about whom you know nothing and remember nothing". > > If we were to say that *every* site, under DNT must not remember anything > about my interaction with any other site than itself (and that rules out > 3rd parties keeping records that identify the 1st party, as well), that > *might* get closer. Now the advertising site can do frequency capping (it > remembers what ads it previously showed me) but not behavioral tracking (it > does not remember I visited CNN, BBC and Amazon, and does not remember what > I read or bought on those sites). But this needs a lot of working through, > and I am not hopeful it actually comes out simpler than the 1st/3rd > distinction. > > On Jan 17, 2012, at 8:22 , David Wainberg wrote: > > > Kevin circulated some great materials and discussion on this back in > December: > http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0051.html and > http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0127.html. > > > > But I'm happy to take a stab at explaining how I see it. > > > > In defining 1st vs 3rd, and saying DNT doesn't, for the most part, apply > to 1st parties, are we saying that 1st parties have an exception to engage > in [cross-site] tracking, or are we saying 1st party data collection, by > definition, is not [cross-site] tracking? There seems to be, if not > consensus, at least widespread agreement that the concern of this standard > (the "Do Not" of DNT) is something along the lines of the collection and > accumulation of data about internet users' web browsing history across > (unrelated | unaffiliated | non-commonly branded | ??) websites. I don't > think we mean that 1st parties are free to engage in [cross-site] tracking, > but rather that once it's cross-site, it's no longer 1st party. There may > be parties who have consent to track across sites by virtue of their 1st > party relationship with the user, but is there such a thing as 1st party > cross-site tracking? Let's assume we can acheive a defition of cross-site > tracking, do you imagine 1st and 3rd parties would be treated differently > under the standard? I don't imagine so, though 1st parties will have > different opportunities for acquiring users' consent. > > > > One might then think that the 1st/3rd party distinction and "cross-site" > are equivalent. But I would argue they're not, for at least the following. > First, defining cross-site tracking is closer to the problem we're trying > to solve, and that's generally a good thing. By tailoring our definitions > to the actual problems we are trying to solve, we reduce the risk of being > overinclusive, creating ambiguity, or creating unintended consequences. > > > > Additionally, although we will still need to define cross-site tracking, > I think that's an easier problem to solve and will be easier for all > parties to implement. Parties can be lots of things. It's impossible to > account for all the different relationships between parties and users, and > parties and parties, and so on. Cross-site tracking data is a much more > constrained set, so will be that much easier to put a definition around. > > > > By taking the cross-site approach, DNT becomes as simple as: > > > > 1. Cross-site tracking = X > > 2. If DNT == 1, X may not be done, except: > > a. with consent; or > > b. for these purposes: [...] > > > > Some of the benefits: > > - Relies simply on a clear definition of the data collection and use > practices DNT is concerned with, rather than a multi-step process of > determining party status and then covered collection and use. > > - Removes the step of determining 1st vs 3rd party status in any given > circumstance, and then possibly having separate compliance paths for each. > > - Saves us from defining 1st vs 3rd parties, and thus eliminates having > to deal with edge cases like widgets and URL shorteners. > > - Solves the 3rd party as agent problem: if it's not cross-site, it's > not covered. > > > > > > > > On 1/13/12 5:41 PM, David Singer wrote: > >> In reading a separate thread, I realized that there is a potential > issue here over DNT:0. > >> > >> A little while back we discussed whether the UA should send a DNT > header to the first party. A number of us argued that it should, even if > the first party is exempt: because the first party may care that its third > parties are being asked not to track - it might ask for payment in > consequence, for example. > >> > >> This argument relies on the assumption that DNT is a single 'big > switch', either on or off, but the discussion around DNT:0 reveals that > people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 > to others. > >> > >> So what, then, does the first party get? DNT:1 if any third party is > getting DNT:1, else DNT:0 if all are getting DNT:0? An average of the DNT > values :-) DNT:0.7 ??! > >> > >> Am I, as a UA, allowed to mix non-DNT requests into the mix? > >> > >> > >> David Singer > >> Multimedia and Software Standards, Apple Inc. > >> > >> > > David Singer > Multimedia and Software Standards, Apple Inc. > > > -- Sean Harvey Business Product Manager Google, Inc. 212-381-5330 sharvey@google.com
Received on Thursday, 19 January 2012 02:54:09 UTC