Re: [ISSUE-5] What is the definition of tracking?


Clarifying question. Does your proposal prohibit:

1) *collecting* information that *could be* used for correlation of browsing activity,
2) *collecting* information that *is* used for correlation of browsing activity, or
3) *using* information to correlate browsing activity?

My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.


On Mar 4, 2012, at 3:36 PM, Roy T. Fielding wrote:

> Color me frustrated.  The definition for tracking provided in the
> Compliance document is not distinguishable from any request to a
> third-party site while rendering a page, nor does it reflect what
> a common user's expectation would be for that term, nor does it
> reflect any of the regulatory descriptions of the term.
> Here is the current definition:
> =========
>  3.7 Tracking
>  Tracking is the collection or use of user data via either a
>  unique identifier or a correlated set of data points being
>  used to approximate a unique identifier, in a context other
>  than "first party" as defined in this document. This includes:  			
>    a party collecting data across multiple websites,
>     even if it is a first party in one or more (but not all)
>     of the multiple contexts
>    a third party collecting data on a given website
>    a first party sharing user data collected from a DNT-on
>     user with third parties "after the fact".
>  Examples of tracking use cases include:
>    personalized advertising
>    cross-site analytics or market research that has not been de-identified
>    automatic preference sharing by social applications
> =========
> The WG needs a definition that only applies to the act of tracking,
> since otherwise the entire Web (every image, CDN, stylesheet, etc.)
> is a false positive.  The WG needs a definition that is specific and
> consistent with user expectations, since otherwise "allow tracking"
> fails as a mechanism for consent.
> Here is my proposed replacement text:
> =========
> Tracking is defined as following or identifying a user, user agent,
> or device across multiple visits to a site (time) or across multiple
> sites (space).
> Mechanisms for performing tracking include but are not limited to:
>  assigning a unique identifier to the user, user agent, or device
>  such that it will be conveyed back to the server on future visits;
>  personalizing references or referral information such that they will
>  convey the user, user agent, or device identity to other sites;
>  correlating data provided in the request with identifying data
>  collected from past requests or obtained from a third party; or,
>  combining data provided in the request with de-identified data
>  collected or obtained from past requests in order to re-identify
>  that data or otherwise associate it with the user, user agent,
>  or device.
> A preference of "Do Not Track" means that the user does not want
> tracking to be engaged for this request, including any mechanism
> for performing tracking, any use of data retained from prior tracking,
> and any retention or sharing of data from this request for the purpose
> of future tracking, beyond what is necessary to enable:
> 1) the limited exemptions defined in section XX;
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user; and
> 3) other services for which the user has provided prior,
>    specific, and informed consent.
> =========
> I believe this new definition of tracking and the corresponding
> definition of "Do Not Track" will allow us to move beyond the
> arguments over broad exemptions and instead focus on transparency
> and individual control.  It allows the user to clearly state that
> they don't want tracking outside the first-party context and
> don't want any of the data retention/sharing effects of tracking.
> The tracking status resource can convey exactly what tracking is
> performed by a site, if any, for a given resource and DNT value,
> including what limited exemptions are applicable.  Users (through
> user agent choice or configuration) can decide what services to use,
> or avoid, based on that transparency and not just a single on/off bit.
> It separates the act of tracking from the mechanisms for doing
> tracking and the kinds of data retained from tracking.  The former
> is far easier to define in general, and the latter two will change
> over time as technologies change.
> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested
> by the user, which may include personalization, analytics,
> or social networking as appropriate for that service, since
> otherwise a DNT enabled user would be constantly interrupted
> by consent dialogs just to do what they had already requested.
> A first-party might change their service upon receipt of DNT,
> such as by disabling social networking features, but that is
> presumed to be governed by the nature of the first-party
> service and the privacy options configured directly with
> that first-party.
> It also recognizes that the user can provide prior consent
> for some services that will override the DNT signal, via
> mechanisms outside the scope of this standard, such as
> for paid audience survey tracking or content-by-subscription.
> Such an override, if active for the user, would be reflected
> in the tracking status response.
> I would like to see this new text as at least an option in
> the upcoming compliance WD.  Also, IMO, the definitions of
> user, user agent, device, and tracking should be moved up to
> the start of the first section, or the detailed explanation
> of things like "first-party" moved into a later section, so
> that the details don't overwhelm the purpose of this document.
> Cheers,
> Roy T. Fielding                     <>
> Principal Scientist, Adobe Systems  <>

Received on Wednesday, 7 March 2012 13:55:25 UTC