- From: Peter Cranstone <peter.cranstone@gmail.com>
- Date: Sat, 16 Jun 2012 10:24:29 -0600
- To: "Roy T. Fielding" <fielding@gbiv.com>, Jonathan Mayer <jmayer@stanford.edu>
- CC: <public-tracking@w3.org>
One typo in the last responseŠ Summary 1) WithOUT a clear definition of what constitutes tracking which is agreed upon by all parties, the spec cannot move forward. Peter ___________________________________ Peter J. Cranstone 720.663.1752 -----Original Message----- From: Peter Cranstone <peter.cranstone@gmail.com> Date: Saturday, June 16, 2012 10:04 AM To: "Roy T. Fielding" <fielding@gbiv.com>, Jonathan Mayer <jmayer@stanford.edu> Cc: W3 Tracking <public-tracking@w3.org> Subject: Re: Towards a Grand Compromise >There's so much to comment on this post it would take pages. Instead I >will limit myself to two CRITICAL sections. > >1) The Definition of Tracking >2) User Agent and server side compliance. > >RE: 1 The definition of tracking. > >Roy's 100% correct. Until a definition is AGREED upon by ALL parties then >the spec fails. As I wrote in a previous post >http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0216.html - >Alignment of interests and meeting expectations, it is imperative that the >definition aligns with all parties to the process. > >The user ONLY knows and expects one thing - Tell Web Sites to Not Track >Me. IMO a very unambiguous statement. He/She will simply set it and forget >it. However because there is no clear definition on what tracking means >we're now faced with an un-implimentable number of server side exceptions >with a corresponding number of UI issues to resolve. > >We should start with a list on this forum of ALL the ways that current >tracking is done. That will become the baseline for the definition. >(Unfortunately I can imagine that this will consume the forum because of >different agendas.) > > >RE: 2 User Agent and server side compliance > >The User Agent is NOT in the spotlight here. All the server should look >for is the presence of a DNT flag and then it's current setting. We've >argued the point to death that there is NO WAY for the server to determine >the "Choice" of the user. For example? > >1) I download and install Windows 8 and accept the defaults because it is >MY choice >2) I download and install Windows 8 and disable DNT because it's MY choice >3) After 3 days of using Window 8 I enable DNT because it's MY choice > >All of the above are EQUALLY viable under the spec. Because the spec says >"Therefore, users need a mechanism to express their own preference >regarding tracking that is both simple to configure and efficient when >implemented". In the case of Windows 8 Microsoft made the choice for me - >and I'm ok with that (my choice), AND they gave me a mechanism to change >it if I want to. The only thing they omitted was a pop-up dialog asking >the user to accept the defaults for I.E. 10 which includes turning on DNT. >Think about that for a second. One pop up added by Microsoft and they're >suddenly in full compliance with the spec and still the server will NOT >know who set the flag. > >Summary > >1) With a clear definition of what constitutes tracking which is agreed >upon by all parties, the spec cannot move forward. >2) Unless you dramatically expand the scope of the protocol there is >clearly NO way (other than press releases which servers don't read) to >know WHO set the DNT flag. > > > >Peter >___________________________________ >Peter J. Cranstone >720.663.1752 > > > > > > > > >-----Original Message----- >From: "Roy T. Fielding" <fielding@gbiv.com> >Date: Saturday, June 16, 2012 3:53 AM >To: Jonathan Mayer <jmayer@stanford.edu> >Cc: W3 Tracking <public-tracking@w3.org> >Subject: Re: Towards a Grand Compromise >Resent-From: W3 Tracking <public-tracking@w3.org> >Resent-Date: Sat, 16 Jun 2012 09:53:40 +0000 > >>Regarding the "Do Not Track - Compromise Proposal" of 11 June 2012: >> >>I am disappointed that this proposal repeats so much of the current >>compliance document that has been repeatedly rejected by those >>who are expected to implement it. The key to any consensus process >>is to make positive steps toward adoption by all members, not by >>splitting the difference on never-going-to-be-implemented features. >> >>Fundamental problems >>==================== >> >>0) This is not the collection protection working group -- it is the >> tracking protection working group and it has a chartered delivery >> requirement for a document that defines the meaning of a do not >> track preference. >> >> DNT expresses "do not track". We either agree on a definition for >> tracking or we don't have a protocol. When we have a definition for >> tracking, all of the constraints on data collection will be a subset >> of that definition. Adobe will not accept blanket constraints on all >> data collection based on the theory that a few exceptions will cover >> our needs: we have no way to anticipate all of the future needs of >> our customers that might have nothing to do with tracking. >> >> The user is asking not to be tracked, to which we can comply if we >> have a specific definition that includes both the process of tracking >> and data collection enabled by that tracking. Some regulators are >> requiring prior consent for collection of personal information, >> to which we can comply by obtaining that prior consent or by >> excluding the personal information from retention. We have no >> interest in requirements for DNT that exceed these two mandates >> from users and regulators. If additional privacy issues arise, >> they should be addressed regardless of whether the user has >> transmitted DNT; thus, they are outside our current scope. >> >> Data collection that is not associated with user activity and >> which does not represent an identified privacy issue should not >> be constrained by this standard. If privacy violations occur, >> the responsible parties should be punished regardless of DNT. >> There is no need for DNT to cover all privacy concerns. >> >> >>1) We have not found a way for a UA to indicate whether a given >> request is intentional or not, and we cannot design based on >> meaningless phrases like "infer with a high probability". >> The distinction between first and third party resource must either >> be testable via the protocol or determinable independent of >> specific requests. >> >> A server cannot prevent any given first party resource from being >> reused in what the WG would consider someone else's first party >> context (making it a third party resource). Hence, we have no way >> of complying with the definition as stated other than by always >> adhering to the third-party constraints. >> >> There is a simple solution: define the type of resource according >> to how the resource owner has designed it to be used, consistent >> with how that party chooses to use the resource on its own sites, >> and how it has documented the resource for use by others. >> TPE is already defined in those terms. >> >> >>2) Outsourcing is not an exception -- it is the rule. When we say a >> third party is acting as a first party, they *are* the first party. >> Likewise, when a contractor is acting on behalf of a third party, >> they are that third party. >> >> Very few sites on the Web fall into the billionaire's club of large >> Web providers that can afford to build their own analytics and >> advertising businesses within the same corporate shell. The ability >> to contract for services from the likes of Adobe, AWS, and Akamai is >> what allows the small mom-and-pop web sites to compete and grow their >> businesses incrementally. Creating an artificial distinction between >> in-house proprietary services and contractually-provided services is >> not acceptable because it would create an artificial market advantage >> for conglomerates, which would in turn invite scrutiny of this group >> for anti-trust concerns. >> >> The privacy issues regarding service provider data collection can be >> covered by constraints on ownership and sharing of data. Adobe won't >> accept any requirement that prevents a contractor, acting on behalf >> of a first party customer, from doing or implementing anything that >> a conglomerate could have done within the first party constraints. >> >> The solution is to define outsourced service providers as the same >> party if they only act as data processors on behalf of that party, >> silo the data so that it cannot be accessed by other parties, and >> have no control over that data except as directed by that party. >> Hence, requirements on properly outsourced service providers for a >> party (first or third) should not be any more restrictive or >> permissive than the requirements on that party's employees. >> >> >>3) We cannot comply with any requirements on "receives". >> >> What a server receives is determined by the user agent. >> Any requirement on what we receive would cause us to be non-compliant >> as soon as some joker decides to use curl to send us more information >> than we would expect, or when some lazy developer copies and pastes >> HTML content from one our own websites within a third party context >> that we did not expect to receive data. >> >> There is no justification for those requirements in the spec. >> >> >>4) How we implement something is none of your business. >> >> The proposal contains numerous half-baked ideas on how various >>services >> shall be implemented. None of that belongs in a compliance document >>for >> a network protocol. Requirements must be on externally observable >>events >> that are known to be privacy sensitive, not internal implementations. >> Otherwise, the spec would inhibit innovation and prevent adequate >> solutions that might better fit the scale or sensitivity of data for >> a given context. >> >> If you have specific solutions in mind for better ways of advertising, >> auditing, or analytics, then I encourage you to start your own >>business >> (or open source charity) and demonstrate the merits of that >>implementation >> in practice. >> >> What this WG needs to concern itself with is actual loss of privacy, >> not theoretical ideas of what might constitute a bulletproof service. >> >> >>5) Unlinkability does not need to be expressed in terms of probability. >> >> Data is not personally identifiable if it cannot be associated with >> an individual. Data that is not personally identifiable should have a >> blanket exception -- there is no need for additional requirements on >> validation, and certainly not a magic number like 1024-unlinkable. >> >> DNT requirements should only apply to the handling of linkable data. >> Probability would only estimate the likelihood of failure to comply. >> >> >>6) The requirements should distinguish between communication records >> (log files) and data collection for operational use. Log files should >> not be subject to limitations on tracking if they are not used for >> operations other than what is necessary to support the permitted uses. >> Log files are still subject to other limitations under data protection >> laws, but that is independent of whether the user asks for DNT. >> >> We only need to require that: >> a) log files record the DNT status for each request until the >> records are destroyed or rendered unlinkable; and, >> b) aside from the permitted uses, processing a logfile is only >> allowed if all records marked as DNT:1 are excluded from that >> processing or if the data derived as a result of the >> processing is entirely unlinkable. >> >> >>Specific comments >>================= >> >>> 2. Parties, First Parties and Third Parties >> >> As described above, service providers that are only data processors >> should be considered within the same party as the contracting party. >> >> Differing constraints on third party versus first party services need >> to be rephrased in terms of the design of each resource rather than >> the intent of the user. >> >> If a resource is designed for direct interaction, is only used by >> the resource owner on its own sites for direct interaction, and >> is not documented by the resource owner for use as an embedded API >> for other sites, then the resource need only comply with first-party >> requirements. Otherwise, the resource must comply with third-party >> requirements unless it can dynamically determine that it has been >> invoked in a first party context. >> >>> 3. Information Practices >>> >>> 3.1 Reception, Retention, Use, and Sharing >>> >>> A party receives data if the data comes within its control. >> >>irrelevant >> >>> A party retains data if the data remains within the party's control. >> >>"... beyond the scope of the current interaction." >> >>> A party uses data if the party processes the data for any purpose, >>> including for storage. >> >>"... other than merely forwarding it to another party." >> >>> A party shares data if the party enables another party to receive >>>the >>> data. >> >>"A party shares data if it allows any other party to receive or >>access that data." >> >>> 3.2 First Party >>> >>> A first party must not share information with a third party that the >>>third >>> party is prohibited from receiving itself. >> >>There is no way for a first party to know what a third party is >>prohibited from receiving, both because we can't prohibit receiving >>and because the potential for prior consent always exists. >> >>> Best Practice 1: Additional Voluntary Measures >>> >>> A first party may voluntarily take steps to protect user privacy >>>when >>> responding to a Do Not Track request. >> >>That text serves no useful purpose. >> >>> 3.3 Third Party >>> >>> 3.3.1 General Rule >>> >>> A third party must not receive, retain, use, or share any >>>information >>> related to communication with a user or user agent. There are >>>exceptions >>> to this general rule as defined in the following sections. In case >>>of >>> ambiguity, an exception must be construed narrowly. Each exception >>> operates independently; exceptions cannot be combined except where >>> explicitly noted otherwise. >> >>No, exceptions are permissions and they combine just fine. >> >>As mentioned a dozen times before, I object to blanket prohibition >>of things that a third party obviously has to do just to process >>a request, even if it is followed by a specific list of exceptions >>that might or might not be enough to actually process that request. >>If you can't formulate a requirement in terms of actual tracking >>or the data collected as a result of tracking, then I will not >>implement that requirement. As such, this entire section 3.3 >>is not suitable for our specification. >> >>> 3.3.2.3 Outsourcing >> >>Outsourcing is a general aspect of implementation by any party. >>It should not be buried under third party. >> >>> A first party may outsource website functionality to a third party, >>>in >>> which case the third party may act as the first party under this >>>standard >>> with the following additional restrictions. >>> >>> 3.3.2.3.1 Technical Precautions >>> >>> 3.3.2.3.1.1 Operative Text >>> >>> Throughout all data reception, retention, and use, outsourced >>>service >>> providers must use all feasible technical precautions to both >>>mitigate the >>> linkability of and prevent the linking of data from different first >>> parties. >> >>Nonsense, that's unimplementable in practice (nobody knows what >>"all feasible technical precautions" are at any given moment). >>Furthermore, this requirement is not specific to outsourcing -- >>it would apply to any third party. And in the specific case of >>outsourcing, we don't have control over the data and thus cannot >>prevent two different parties from collecting the same identifiable >>information, thereby making the data sets linkable by accident. >> >>> Structural separation ("siloing") of data per first party, including >>>both >>> 1. separate data structures and >>> 2. avoidance of shared unique identifiers >>> are necessary, but not necessarily sufficient, technical >>>precautions. >> >>Not phrased as a testable requirement. Moreover, shared identifiers >>are only a tracking concern if they are retained by the server in a >>form that could be correlated across multiple first parties. >> >>> 3.3.2.3.1.2 Non-Normative Discussion >> >>Actually, the contents of this section consists of a number of >>suggested best practices with an occasional mixture of normative >>"must" and "should" statements. They do not belong here. >> >>... >> >>> 3.3.2.3.1.2.2 Siloing in the Backend >> >>See general note about "none of your business". This section and all >>subsections are not suitable for our documents. >>... >> >>> 3.3.2.3.1.2.3 Retention in the Backend >>> >>> An outsourcing service should retain information only so long as >>>necessary >>> to provide necessary functionality to a first party. If a service >>>creates >>> periodic reports, for example, it should delete the data used for a >>>report >>> once it is generated. An outsourcing service should be particularly >>> sensitive to retaining protocol logs, since they may allow >>>correlating >>> user activity across multiple first parties. >> >>There is no chance that Adobe will agree to delete data that belongs >>to the first party just because we are a contractor. By definition, >>we do not own that data. And protocol logs are not specific to DNT. >> >>... >> >>> 3.3.2.3.3 Use Direction >>> >>> An outsourced service >>> 1. must use data retained on behalf of a first party ONLY on behalf >>>of >>> that first party, and >> >>That belongs in the definition of outsourced service provider. >> >>> 2. must not use data retained on behalf of a first party for their >>>own >>> business purposes, or for any other reasons. >> >>Too broad. Please use the definition of data processor from the EU. >> >>Data must be used in order to retain it in the first place; >>that is the outsourcer's business purpose. The outsourcer might >>provide continued storage and backups of the data, along with a >>suite of tools for use by the party for mining their data to >>produce reports; dissemination of those reports is entirely >>controlled by the contracting party, not the outsourcer. >> >>An outsourcer must be able to do anything that a party can do with >>that data, so long as the outsourcer is acting at the direction >>of that party. Furthermore, the data must be usable by the >>outsourcer as necessary for capacity planning and billing the >>party for services provided. Likewise, aggregate statistics >>based on received requests (across all parties) can be used if >>the statistics do not contain anything linkable to persons. >> >>In general, DNT must not apply to outsourced service providers >>acting as a first party any more than it applies to first >>parties: no sharing is allowed beyond the contracting party >>relationship. >> >>... >> >>> 3.3.2.4 User Permission >>> >>> A website my engage in practices otherwise prohibited by this >>>standard if >>> a user grants permission. Permission may be attained through the >>>browser >>> API defined in the companion Tracking Preference Expression >>>document. A >>> website may also rely on "out-of-band" consent attained through a >>> different technology. An "out-of-band" choice mechanism has the same >>> effect under this standard as the browser exception API, provided >>>that it >>> satisfies the following bright-line requirements: >>> 1. Actual presentation: The choice mechanism must be actually >>>presented >>> to the user. It must not be on a linked page, such as a terms of >>> service or privacy policy. >>> 2. Clear terms: The choice mechanism must use clear, non-confusing >>> terminology. >>> 3. Independent choice: The choice mechanism must be presented >>>independent >>> of other choices. It must not be bundled with other user >>>preferences. >>> 4. No default permission: The choice mechanism must not have the >>>user >>> permission preference selected by default. >> >>Actually, an out of band consent mechanism provides additional >>permissions, whether or not they fall within the scope of this >>specification. In all cases, prior consent overrides DNT because >>it is the only means of enabling the user to selectively allow >>data collection by specific trusted parties without constantly >>having to change their browser configuration. >> >>There is still no need to define how prior consent is obtained, >>provided we define it as specific, explicit, and informed. >> >>> An "out-of-band" choice mechanism must additionally satisfy the >>>following >>> high-level standard: >>> >>> An ordinary user would know that the choice overrides his or her >>>privacy >>> protections under this standard. >> >>No. Most consent actions do not, in any way, harm a user's privacy, >>and ordinary users don't read standards. >> >>> 3.3.2.5 Security >>> >>> 3.3.2.5.1 Operative Text >>> >>> A third party may receive, retain, and use data about a particular >>>user or >>> user agent for the purpose of ensuring its security, provided that >>>there >>> are reasonable grounds to believe the user or user agent was >>>attempting to >>> breach the party's security at the time the data was received. >>> >>> Note: This draft does not address the extent to which technical and >>> business precautions are required for security data. >> >>As already explained, DNT must not have any effect on security or >>fraud controls, period. That is not negotiable. Data retention for >>those purposes may be limited to what is necessary for those purposes, >>but the notion that sending "DNT: 1" has any effect whatsoever on >>security and fraud controls is a non-starter. >> >> >>Cheers, >> >>....Roy T. Fielding, Principal Scientist, Adobe Systems Inc. >> <http://adobe.com/enterprise> >> >> >> > > >
Received on Saturday, 16 June 2012 16:25:13 UTC