W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: cross-site tracking and what it means

From: Sean Harvey <sharvey@google.com>
Date: Wed, 18 Jan 2012 21:53:38 -0500
Message-ID: <CAFy-vuc2xyOeohRcHwLwzs5EmehmhMOWMw2Vm8qcqzdgp9LHSQ@mail.gmail.com>
To: David Singer <singer@apple.com>
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
at a high level, i was not suggesting that third parties could continue to
collect user data (or link it to previous data) in a DNT-on scenario.

an advertiser for example is typically buying ad inventory across multiple
websites, and any data they collect is thus cross-site.

On Wed, Jan 18, 2012 at 8:01 PM, David Singer <singer@apple.com> wrote:

> David, Kevin, thanks
> I read through this and some other background material.
> I share the unease about the difficulty of defining 1st and 3rd parties,
> and would love to find a way to eliminate that distinction and apply
> uniform rules.  But, if I understand it correctly, what you and Kevin are
> saying is not, I think, satisfactory.  But I may mis-understand.  Let me
> work through it, in case I am off base.
> As I understand it, you're saying that
> * the sites I visit can remember anything about the nature and content of
> the visits I make to them (currently described as 1st party)
> * the sites that those sites 'pull in' (3rd parties, in our current terms)
> can remember
>  + NOT ONLY the fact that I pulled content from them, and that it was me
>  + BUT ALSO that it was because of visits to various other, ("1st party")
> sites ('he visited cnn.com and we showed him a book ad; bbc.com and we
> showed a soap ad')
> As far as I can tell, you seem to propose that the 3rd parties can collect
> all the same data as today, with the sole exception that the records have
> an extra tag on them -- whether they were collected under DNT or not -- and
> that the records collected under DNT have to be segregated and not
> correlated with the others.
> My problems are
> *  this is a usage restriction which is easily (accidentally or
> deliberately) dropped. The correlation and aggregation could happen at any
> time.
> *  I believe that 3rd parties remembering which 1st parties I chose to
> visit is, prima facie, cross-site, and should be excluded, not permitted.
> *  this is very close to a previous idea, that DNT didn't control tracking
> at all, just the presentation of behavioral advertising; the same database
> was being built, just the symptoms hidden from the users.
> Now, I may have misunderstood.  But if I haven't, this doesn't address my
> concern as a consumer: I do not want organizations I did not choose to
> interact with, and whose very identity is usually hidden from me, building
> databases about me. That's tracking.  I don't think this meets "treat me as
> someone about whom you know nothing and remember nothing".
> If we were to say that *every* site, under DNT must not remember anything
> about my interaction with any other site than itself (and that rules out
> 3rd parties keeping records that identify the 1st party, as well), that
> *might* get closer.  Now the advertising site can do frequency capping (it
> remembers what ads it previously showed me) but not behavioral tracking (it
> does not remember I visited CNN, BBC and Amazon, and does not remember what
> I read or bought on those sites).  But this needs a lot of working through,
> and I am not hopeful it actually comes out simpler than the 1st/3rd
> distinction.
> On Jan 17, 2012, at 8:22 , David Wainberg wrote:
> > Kevin circulated some great materials and discussion on this back in
> December:
> http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0051.html and
> http://lists.w3.org/Archives/Public/public-tracking/2011Dec/0127.html.
> >
> > But I'm happy to take a stab at explaining how I see it.
> >
> > In defining 1st vs 3rd, and saying DNT doesn't, for the most part, apply
> to 1st parties, are we saying that 1st parties have an exception to engage
> in [cross-site] tracking, or are we saying 1st party data collection, by
> definition, is not [cross-site] tracking? There seems to be, if not
> consensus, at least widespread agreement that the concern of this standard
> (the "Do Not" of DNT) is something along the lines of the collection and
> accumulation of data about internet users' web browsing history across
> (unrelated | unaffiliated | non-commonly branded | ??)  websites. I don't
> think we mean that 1st parties are free to engage in [cross-site] tracking,
> but rather that once it's cross-site, it's no longer 1st party. There may
> be parties who have consent to track across sites by virtue of their 1st
> party relationship with the user, but is there such a thing as 1st party
> cross-site tracking? Let's assume we can acheive a defition of cross-site
> tracking, do you imagine 1st and 3rd parties would be treated differently
> under the standard? I don't imagine so, though 1st parties will have
> different opportunities for acquiring users' consent.
> >
> > One might then think that the 1st/3rd party distinction and "cross-site"
> are equivalent. But I would argue they're not, for at least the following.
> First, defining cross-site tracking is closer to the problem we're trying
> to solve, and that's generally a good thing. By tailoring our definitions
> to the actual problems we are trying to solve, we reduce the risk of being
> overinclusive, creating ambiguity, or creating unintended consequences.
> >
> > Additionally, although we will still need to define cross-site tracking,
> I think that's an easier problem to solve and will be easier for all
> parties to implement. Parties can be lots of things. It's impossible to
> account for all the different relationships between parties and users, and
> parties and parties, and so on. Cross-site tracking data is a much more
> constrained set, so will be that much easier to put a definition around.
> >
> > By taking the cross-site approach, DNT becomes as simple as:
> >
> > 1. Cross-site tracking = X
> > 2. If DNT == 1, X may not be done, except:
> >    a. with consent; or
> >    b. for these purposes: [...]
> >
> > Some of the benefits:
> > - Relies simply on a clear definition of the data collection and use
> practices DNT is concerned with, rather than a multi-step process of
> determining party status and then covered collection and use.
> > - Removes the step of determining 1st vs 3rd party status in any given
> circumstance, and then possibly having separate compliance paths for each.
> > - Saves us from defining 1st vs 3rd parties, and thus eliminates having
> to deal with edge cases like widgets and URL shorteners.
> > - Solves the 3rd party as agent problem: if it's not cross-site, it's
> not covered.
> >
> >
> >
> > On 1/13/12 5:41 PM, David Singer wrote:
> >> In reading a separate thread, I realized that there is a potential
> issue here over DNT:0.
> >>
> >> A little while back we discussed whether the UA should send a DNT
> header to the first party.  A number of us argued that it should, even if
> the first party is exempt: because the first party may care that its third
> parties are being asked not to track - it might ask for payment in
> consequence, for example.
> >>
> >> This argument relies on the assumption that DNT is a single 'big
> switch', either on or off, but the discussion around DNT:0 reveals that
> people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0
> to others.
> >>
> >> So what, then, does the first party get?  DNT:1 if any third party is
> getting DNT:1, else DNT:0 if all are getting DNT:0?  An average of the DNT
> values :-) DNT:0.7 ??!
> >>
> >> Am I, as a UA, allowed to mix non-DNT requests into the mix?
> >>
> >>
> >> David Singer
> >> Multimedia and Software Standards, Apple Inc.
> >>
> >>
> David Singer
> Multimedia and Software Standards, Apple Inc.

Sean Harvey
Business Product Manager
Google, Inc.
Received on Thursday, 19 January 2012 02:54:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC