Re: Defining Collection/Retention/Use/Sharing (ACTION-64, ISSUE-16) from Bryan Sullivan on 2012-01-26 (public-tracking@w3.org from January 2012)

From: Bryan Sullivan <blsaws@gmail.com>
Date: Thu, 26 Jan 2012 05:59:54 -0800
To: Shane Wiley <wileys@yahoo-inc.com>, Jonathan Mayer <jmayer@stanford.edu>, David Singer <singer@apple.com>
CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CB469BEE.10435%blsaws@gmail.com>

That makes sense to me. If collection is equivalent to reception, then
beyond immediate request processing, all further focus should be upon
retention of the data.

On 1/26/12 3:03 AM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:

>Is it fair state that if "Collection" is defined in such a stringent
>manner that there is no technically feasible manner for a web server to
>NOT collect data (any request/response would at a minimum be "collected"
>in memory - even if immediately purged) and therefore the conversation
>shifts to "Retention" for the group at that point?
>
>- Shane
>
>-----Original Message-----
>From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>Sent: Wednesday, January 25, 2012 7:28 PM
>To: David Singer
>Cc: public-tracking@w3.org (public-tracking@w3.org)
>Subject: Re: Defining Collection/Retention/Use/Sharing (ACTION-64,
>ISSUE-16)
>
>
>On Jan 25, 2012, at 6:28 PM, David Singer wrote:
>
>> I'm not sure I get it.
>> 
>> For example, do I 'collect' the IP address of the user, while the
>>transaction is in process?  Does 'collect' apply to any information that
>>is the server is exposed to?
>
>Yes.
>
>> I would have thought that some extra action is needed before it becomes
>>'collection'.
>
>Not by this definition.
>
>> I think we need to say that the data concerned are 'per-transaction
>>records that contain data that is indexed against a specific user, or an
>>identifier that could be used to identify a specific user'.  That way,
>>transaction logs that are not indexed by IP address (you'd have to troll
>>the log to extract the entries for a given IP) are not in scope, nor are
>>any aggregate counts.
>
>We'll talk about protocol data and unidentifiable data in the context of
>exceptions.  I don't see any reason to make our treatment of them
>implicit.
>
>> I wonder if retention is 'keeping information from or about the
>>transaction, after sending the response', i.e. the persistence after the
>>immediate requested transaction.
>> 
>> 
>> On Jan 25, 2012, at 10:54 , Jonathan Mayer wrote:
>> 
>>> Operative text:
>>> A party "collects" data if the data comes within its control.
>>> A party "retains" data if data remains within a party's control.
>>> A party "uses" data if the party processes the data for any purpose
>>>other than storage.
>> ...storage?  any other purpose than responding to the inbound request?
>> 
>>> A party "shares" data if the party enables another party to collect
>>>the data.
>>> 
>>> Non-normative text:
>>> The definitions of collection, retention, use, and sharing are drafted
>>>expansively so as to comprehensively cover a party's user information
>>>practices.  These definitions do not require a party's intent; a party
>>>may inadvertently collect, retain, use, or share data.  The definition
>>>of collection includes information that a party did not cause to be
>>>transmitted, such as protocol headers.
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>
>
>

Received on Thursday, 26 January 2012 14:02:07 UTC