Re: [ISSUE-5] What is the definition of tracking? from Roy T. Fielding on 2012-03-05 (public-tracking@w3.org from March 2012)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 5 Mar 2012 11:47:52 -0800
To: Chris Pedigo <CPedigo@online-publishers.org>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <ED9ECB99-C7C5-4DC6-85AA-143651931D22@gbiv.com>
Thanks for the comments Chris,

Each of these issues are important, and how the definition works
should be described in the detail sections of the spec, but they
do not need to effect the definition.

On Mar 5, 2012, at 4:17 AM, Chris Pedigo wrote:

> Roy, I appreciate your effort to take a fresh look at this definition. On first glance, I have a couple of concerns:
> 
> 1) Your definition of tracking includes "multiple visits to a site (time)."  This would cover first and third parties equally.  I think that's an overly broad definition of the kind of tracking we're trying to address in this WG and it unfairly presumes that first party tracking is bad or does not meet with user expectations.  I think you try to address it later but I object to the starting point.

One thing I am quite certain of is that the WG does not have even
the remotest sense of what "we're trying to address", and that goes
for both industry and advocates.  It is remarkable just how far both
sides have been unwilling to address it with actual text, even on
their own websites.

I am trying to find the middle ground.  As near as I can tell, the
only groups actually expressing the middle ground are the US and EU
regulators.  Which is good, because my company will adhere to their
requirements regardless of what the WG decides.

I refer you to
  http://www.whitehouse.gov/sites/default/files/privacy-final.pdf

  "The Individual Control principle has two dimensions. First, at
  the time of collection, companies should present choices about
  data sharing, collection, use, and disclosure that are appropriate
  for the scale, scope, and sensitivity of personal data in question.
  For example, companies that have access to significant portions of
  individuals’ Internet usage histories, such as search engines,
  ad networks, and online social networks, can build detailed profiles
  of individual behavior over time. These profiles may be broad in
  scope and large in scale, and they may contain sensitive information,
  such as personal health or financial data.(13)  In these cases,
  choice mechanisms that are simple and prominent and offer fine-grained
  control of personal data use and disclosure may be appropriate.
  By contrast, services that do not collect information that is
  reasonably linkable to individuals may offer accordingly limited
  choices.

  (13) “Scope” refers to the range of activities or interests as well as
       the time period that is reflected in a dataset. “Scale” refers to
       the number of individuals whose activities are in a dataset.

I am sure there is something similar in the EU directives, though I am
less adept at finding those.

The definition of tracking in terms of both time and space is consistent
with user expectations when there is no other agreement that defines a
long-term relationship with the user (such as a user account with ToS).
The exemption for first-party tracking in "Do Not Track", to the extent
that it is defined by the first-party as part of its service, is consistent
with both industry's desire to provide an enhanced customer experience and
the public's desire to ensure transparency regarding data collection.

The easy example (since they have not bothered to show up for the WG)
is Amazon.com.  There is no doubt that Amazon.com deliberately tracks
a customer's searches, clicks, and purchases for the sake of delivering
what they (and most of their customers) consider a better service.
They are very transparent about the tracking part of that service.
(I have no idea if they are transparent about the impact of that
tracking, since I have no back-end knowledge of what Amazon does.)

Our definition cannot pretend that Amazon.com is not tracking, since
the regulations are governed by user expectation -- not by what this
WG agrees is the greatest common denominator opinion of those in
the room.

Amazon.com would not be impacted by my definition unless they violate
their own agreement with customers regarding sharing that data.

> 2) Then later you propose that tracking would be allowed for "only first-party (and third-parties acting as the first-party) to provide the service intentionally requested by the user."
> 
> Limiting first parties to provide only "the service intentionally requested" would be problematic.  We would need to create a entire list of activities that would be permitted. On top of that, I imagine there are all kinds of first party uses for data that users expect but don't intentionally request (i.e. site optimization, fraud investigation). More importantly, this limitation of first parties wouldn't allow for first parties to use data to innovate or create new services for the user.

The "intentionally requested" does not in any way limit the
service to the user's intent.  It limits the scope of first-party
to intentional acts by the user.  We do not need to define what that
means because it is a known gray area no matter how we define it.
For example, a first-party service is not responsible for ensuring
that no third-party sets up a portal, mash-up, or other mask that
causes a user to accidentally request their service; however, they
would be responsible if they encouraged it via their own content,
documentation, APIs that they publish, or mechanisms that they
choose to use for advertising or social-networking on third-party
sites.  It is the kind of gray area that regulators (and the
occasional judicial process) will decide on the basis of each
individual service and each mechanism used to attract intent,
regardless of what we write in our document.

Furthermore, we wouldn't need to create a list of activities.
All first-party sites have terms of service and privacy policies,
or at least should have them if they are covered by our
specification.  They are responsible for accurately defining
their own service.

Amazon.com is not just a book seller.  When people go to their
site, they expect the whole service.  They expect Gold Box deals.
They expect to see what they recently looked at.  They expect to
be able to limit those things in their own account settings, when
such limits are desired.  Hence, the users, the EU regulators,
and the US regulators ALL agree that the technical mechanisms
used by first-parties in order to create that service (including
analytics, fraud control, personalization, etc.) are all a
necessary part of the service requested when the service is
transparent about using those mechanisms.

> I suppose we could create an expansive list of allowable first party activities, but I think you were trying to avoid that complexity.

Yes, that is exactly what I am trying to avoid, along with making
an expansive list of what data can be collected, what services a
site is allowed to offer, what mechanisms are allowed to access a
site, and all the other things that a WG like ours simply cannot do
without breaking the innovative aspects of the Internet.

> Again, I do appreciate your taking a look at this definition. I think our definition should focus on data collected about a user across multiple sites. 
> 
> 
> Chris Pedigo
> Online Publishers Association
> (202) 744-2967 


I believe that I already tried that and it didn't work.  One of the
advantages of having me get involved in TPE is that I don't have a
long legacy of interactions with the privacy debate.  I can feel
free to try (and fail) numerous times to find a middle ground in
order to build a system that works for the public.

Cheers,

....Roy
Received on Monday, 5 March 2012 19:48:14 UTC