- From: Heather West <heatherwest@google.com>
- Date: Thu, 21 Jun 2012 15:03:09 -0700
- To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <CA+Z3oObBTSQLmm-DAhbe5UmnCiobjCPJex_AjfhoSLrEnxHFcw@mail.gmail.com>
Also, I can share the working document (in Google Docs) with folks if that is easiest. On Thu, Jun 21, 2012 at 3:02 PM, Heather West <heatherwest@google.com>wrote: > 3 Definitions > > 3.1 Parties > > A party is any commercial, nonprofit, or governmental organization, a > subsidiary or unit of such an organization, or a person. > > For unique corporate entities to qualify as a common party with respect to > this standard, those entities MUST be commonly owned and commonly > controlled (Affiliates) and MUST provide “easy discoverability” of > affiliate organizations. An “Affiliate List” MUST be provided within one > click from each page or the entity owner clearly identified within one > click from each page. > > For example, a clear labeled link to the Affiliate List within the privacy > policy would meet this requirement or the ownership brand clearly labeled > on the privacy policy itself. > > 3.2 First and Third Parties > > A First Party is the party that owns the Web site or has control over the > Web site the consumer visits. A party may start out as a third party but > become a first party later on, after a user meaningfully interacts with it. > > 3.2.1 Service Providers/Outsourcers > > Service Providers acting on the behalf of a First Party and with no > independent rights to use the First Party’s data outside of the context of > that 1st party and Permitted Uses are also considered a First Party. > > It is possible to have multiple first parties on a single page but each > party must provide clear branding and a link to their respective privacy > policy (co-branded experience). > > 3.3 Third Party > > A Third Party is any party other than a First Party, Service Provider, or > a user. > > 3.4 Unidentified Data > > A dataset is un-linkable when commercially reasonable steps have been > taken to de-identify data such that there is confidence that it contains > information which could not be linked to a specific user, user agent, or > device in a production environment, and which the entity will commit to > make no effort to re-identify, and prohibit downstream recipients of > un-linkable data from re-identifying it > > Note: Un-linkable Data is outside of the scope of the Tracking Preference > standard as information is no longer reasonably linked to a particular > user, user agent, or device. > > 4 Compliance with an Expressed Tracking Preference > > 4.1 First Party Compliance > > If a first party receives a communication to which a DNT-1 header is > attached, the first party must not [pass along/transmit/disclose] > [identifiable information about the network interaction] with [a separate > party] with which it does not have a service provider relationship. > > First Parties may engage in their normal collection and use, as long as > they do not pass profile information on to third parties who could not > collect the data themselves under this recommendation. This includes the > ability to customize the content, services, and advertising in the context > of the first party experience. > > 4.1.1 Service Provider to First Party > > A party MUST NOT share (send or receive) collected data or profiles with > another party (unless that party is ONLY working on the behalf of that > specific party – aka Service Provider relationship). > Data collected by a 3rd party under a first party service provider > relationship MUST be segregated according to the 1st party from which it > was collected. A 3rd party MUST NOT aggregate, correlate, or use together > data that was collected on different 1st party sites. > 3rd parties MUST NOT use data across multiple, non-affiliated websites. > > 4.2 Third Party Compliance > > If the operator of a third-party domain receives a communication to which > a DNT:1 header is attached: > that operator must not collect, share, or use information related to that > communication outside of the permitted uses as defined within this standard > and any explicitly-granted exceptions, provided in accordance with the > requirements of this standard; > that operator must not use information about previous communications in > which the operator was a third party, outside of the explicitly expressed > permitted uses as defined within this standard; > that operator may delete information about previous communications in > which the operator was a third party, outside of the explicitly expressed > permitted uses as defined within this standard. > > 4.3 UA > > [PARKED FOR TODAY] > > 4.4 Permitted uses for Third Parties and Service Providers > > For each of the Permitted Uses outlined, the following requirements apply: > Outside of Security, all other Permitted Uses will not allow for altering > a specific user’s online experience based on multi-site activity, including: > No profiling > No further alteration to the user experience based on profiled information > based on multi-site activity > Customization outside of multi-site activity profiles is allowable > Each party engaging in Permitted Uses and claiming W3C DNT compliance, > MUST provide public transparency of their data retention period > Party MAY enumerate each individually if they vary across Permitted Uses > Reasonable technical and organizational safeguards to prevent further > processing. > <non-normative> > > Examples of acceptable safeguards: collection limitations, data siloing, > authorization restrictions, k-anonymity, unlinkability, retention time, > anonydmization, pseudonymization, and/or data encryption. > > NOTE: While definitely a Permitted Use, compliance with local laws and > public purposes, such as copyright protection and delivery of emergency > services, is not listed separately. > > > 1. Security > > Data MAY be collected and used for the express and limited purpose of > security and fraud detection and defense. This includes data reasonably > necessary for enabling authentication/verification, detecting hostile > transactions and attacks, providing fraud prevention, or bolstering site > and system security. > > <Non-Normative> > Restricting security and fraud detection and defense efforts could harm > users. We do not want to mistakenly turn Do Not Track into a signal for > user vulnerability. > > Resources: For additional details on the uses of Security data please see > the DAA Self-Regulatory Principles for Multi-site Data: Authentication, > Verification, Fraud Prevention and Security & Compliance, & Public Purpose > and Consumer Safety > > <Normative> > 2. Financial Purposes > > - Data MAY be collected and used for the limited purpose of financial > fulfillment such as billing and audit compliance. This purpose is strictly > necessary for the continued operation of most websites and requires > uniqueness to prove user interactions (ad impression and ad click) were > indeed achieved as billed for. > > 3. Frequency Capping > > Data MAY be collected and used for the limited purpose of frequency > capping – the practice of keeping “count” of the number of times a user or > device has seen a specific ad and then halting further display of that ad > once the designated threshold has been reached. > 4. Product Debugging > > Data MAY be collected and used for the limited purpose of identifying and > repairing site errors to intended functionality (“Debugging”). > 5. Aggregate Reporting > > Data MAY be collected and used for the express and limited purpose of > aggregate reporting. Aggregate reporting end-points should meet the > objectives of “unlinkability” (see below) and therefore are outside of the > scope of the DNT standard. There is a time interval necessary to retain > event level records to aggregate across the necessary time spans accurately > (daily, weekly, monthly, quarterly, etc.). > > > Appendix > > Issues to bring up separately: > Data collected and received from a party MAY be combined with existing 1st > party profile data. > > Non-Normative: Unidentified > > There are many valid and technically appropriate methods to de-identify or > render a data set "un-linkable". In all cases, there should be confidence > the information is unable to be reverse engineering back to a "linkable" > state. Many tests could be applied to help determine the confidence level > of the un-linking process. For example, a k-anonymous test could be > leveraged to determine if the mean population resulting from a de-linking > exercise meets an appropriate threshold (a high-bar k-anonymous threshold > would be 1024). > > As there are many possible tests, it is recommended that companies > publically stating W3C Tracking Preference compliance provide transparency > to their delinking process (to the extent that it will not provide > confidential details into security practices) so external experts and > auditors can assess if they feel these steps are reasonable given the risk > of a particular dataset. > > Information That Is Un-linkable When Collected: A third party may collect > non-protocol information if it is, independent of protocol information, > un-linkable data. The data may be retained and used subject to the same > limitations as protocol information. > > Example: Example Advertising sets a language preference cookie that takes > on few values and is shared by many users. > > Information That Is Un-linkable After Aggregation: During the period in > which a third party may use protocol information for any purpose, it may > aggregate protocol information and un-linkable data into an un-linkable > dataset. Such a dataset may be retained indefinitely and used for any > purpose. > > Example: Example Advertising maintains a dataset of how many times per > week Italy-based users load an ad on Example News. > > Information That Is Un-linkable After Anonymization: At some point after > collection, a unique ID from a product cookie has a one-way salted hash > applied to the identifier to break any connection between the resulting > dataset and production identifiers. To further remove dictionary attacks > on this method, its recommended that "keys" are rotated on a regular basis. > > Non-Normative: Permitted Uses > > In order to avoid DNT significantly impacting the availability of free > content on the Internet a balance is necessary to allow for minimal data > use to continue standard site operations – including those that monetize > site activities. > > > Non-Normative: Aggregate Reporting > > While detailed event level data is not present at the outcome of > aggregated reporting it is a necessary ingredient to arrive there. > > Examples of uses of aggregate reporting: > Product Improvement (via Site Analytics) > Navigation (Referring sites, Exit Points, Internal Navigation used or not > used) > Visitor Counts (New, Returning, High Activity, Low Activity) > Market Research > > the characteristics of a market or group of consumers; or > the performance of a product, service or feature, in order to improve > existing products or services or to develop new products or services. > > References: For additional examples and associated details see the DAA > Self-Regulatory Principles for Multi-site Data: Market Research & Product > Development > > Non-Normative - product debugging > > Detailed information is often necessary to replicate a specific user’s > experience to understand why their particular set of variables is resulting > in a failure of expected functionality or presentation. > > These variables could include items such as: > cookie IDs > URL of the page > device (UA) details > content specifics > activity/event specifics to narrow in on the cause of the discrepancy > > Non-Normative: frequency capping > > NOTE: Restricting the number of times a user agent displays ads prevents > a user from having to see repetitive ads, prevents publishers from > displaying repetitive ads, and prevents advertisers from harming the > reputation of their clients. > Examples of important data uses include, but are not limited to: > Reach and frequency metrics > Ad performance > Logging the number and type of advertisements served on a particular Web > site(s). > Reporting > Reference: For additional examples and associated details please see the > DAA Self-Regulatory Principles for Multi-site Data: > > Non-Normative: Financial purposes > > NOTE: Typically all relevant advertising order criteria is necessary for > retention of ad interactions. > Examples of data uses include, but are not limited to: > Ad Impression verification (CPM) > Ad Click verification (CPC) > Site Conversion associated with Ad Impression or Ad Click (CPA) > Quality Measures such as ad position (location on page, above/below fold) > and site the ad was served on (high quality vs. low quality content > association) > Reference: For additional examples and associated details please see the > IAB Financial Audit Guidelines. > > Closing > > We believe this proposal advances the existing opt-out cookie structure > (albeit that is a fair and good one) and evolves online privacy in several > ways: > > Users gain a consistent, local tool to communicate their opt-out preference > Avoids property specific opt-out pages > The user's choice is persistent for each device/UA > Avoids accidental deletion > Outside of Security purposes, the user will no longer experience > alterations to their online experiences derived from multi-site activity > No profiling <aka "tracking"> and extends beyond online behavioral > advertising > Only minimal data is retained for necessary business operations and > retention periods are transparent to users > The Internet remains a viable ecosystem for free content > All real “harms” are removed > Outside of government intrusion risk where there are no documented cases > of this occurring with 3rd party anonymous log file data > > We hope you agree this clearly advances the already established opt-out > program offered to users with many key new additions and evolved > perspectives to what was already a long and hard negotiated outcome for > users of the current Internet. The online privacy debate did not begin > with the W3C Tracking Protection Working Group and most definitely won't > end with it but through collective agreement with this proposal we will > have marked an important date in the positive progression of the online > privacy debate. > > -- > > Heather West | Google Policy | heatherwest@google.com | 202-643-6381 > -- Heather West | Google Policy | heatherwest@google.com | 202-643-6381
Received on Thursday, 21 June 2012 22:04:00 UTC