- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Wed, 7 Mar 2012 05:54:46 -0800
- To: Roy T. Fielding <fielding@gbiv.com>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Roy, Clarifying question. Does your proposal prohibit: 1) *collecting* information that *could be* used for correlation of browsing activity, 2) *collecting* information that *is* used for correlation of browsing activity, or 3) *using* information to correlate browsing activity? My initial read was #1. But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3. Thanks, Jonathan On Mar 4, 2012, at 3:36 PM, Roy T. Fielding wrote: > Color me frustrated. The definition for tracking provided in the > Compliance document is not distinguishable from any request to a > third-party site while rendering a page, nor does it reflect what > a common user's expectation would be for that term, nor does it > reflect any of the regulatory descriptions of the term. > > Here is the current definition: > ========= > 3.7 Tracking > > Tracking is the collection or use of user data via either a > unique identifier or a correlated set of data points being > used to approximate a unique identifier, in a context other > than "first party" as defined in this document. This includes: > > • a party collecting data across multiple websites, > even if it is a first party in one or more (but not all) > of the multiple contexts > > • a third party collecting data on a given website > > • a first party sharing user data collected from a DNT-on > user with third parties "after the fact". > > Examples of tracking use cases include: > > • personalized advertising > • cross-site analytics or market research that has not been de-identified > • automatic preference sharing by social applications > > ========= > > The WG needs a definition that only applies to the act of tracking, > since otherwise the entire Web (every image, CDN, stylesheet, etc.) > is a false positive. The WG needs a definition that is specific and > consistent with user expectations, since otherwise "allow tracking" > fails as a mechanism for consent. > > Here is my proposed replacement text: > > ========= > > Tracking is defined as following or identifying a user, user agent, > or device across multiple visits to a site (time) or across multiple > sites (space). > > Mechanisms for performing tracking include but are not limited to: > • assigning a unique identifier to the user, user agent, or device > such that it will be conveyed back to the server on future visits; > • personalizing references or referral information such that they will > convey the user, user agent, or device identity to other sites; > • correlating data provided in the request with identifying data > collected from past requests or obtained from a third party; or, > • combining data provided in the request with de-identified data > collected or obtained from past requests in order to re-identify > that data or otherwise associate it with the user, user agent, > or device. > > A preference of "Do Not Track" means that the user does not want > tracking to be engaged for this request, including any mechanism > for performing tracking, any use of data retained from prior tracking, > and any retention or sharing of data from this request for the purpose > of future tracking, beyond what is necessary to enable: > 1) the limited exemptions defined in section XX; > 2) the first-party (and third-parties acting as the first-party) > to provide the service intentionally requested by the user; and > 3) other services for which the user has provided prior, > specific, and informed consent. > > ========= > > I believe this new definition of tracking and the corresponding > definition of "Do Not Track" will allow us to move beyond the > arguments over broad exemptions and instead focus on transparency > and individual control. It allows the user to clearly state that > they don't want tracking outside the first-party context and > don't want any of the data retention/sharing effects of tracking. > > The tracking status resource can convey exactly what tracking is > performed by a site, if any, for a given resource and DNT value, > including what limited exemptions are applicable. Users (through > user agent choice or configuration) can decide what services to use, > or avoid, based on that transparency and not just a single on/off bit. > > It separates the act of tracking from the mechanisms for doing > tracking and the kinds of data retained from tracking. The former > is far easier to define in general, and the latter two will change > over time as technologies change. > > It allows a first-party service (including its outsourced > contractors) to perform the service intentionally requested > by the user, which may include personalization, analytics, > or social networking as appropriate for that service, since > otherwise a DNT enabled user would be constantly interrupted > by consent dialogs just to do what they had already requested. > A first-party might change their service upon receipt of DNT, > such as by disabling social networking features, but that is > presumed to be governed by the nature of the first-party > service and the privacy options configured directly with > that first-party. > > It also recognizes that the user can provide prior consent > for some services that will override the DNT signal, via > mechanisms outside the scope of this standard, such as > for paid audience survey tracking or content-by-subscription. > Such an override, if active for the user, would be reflected > in the tracking status response. > > I would like to see this new text as at least an option in > the upcoming compliance WD. Also, IMO, the definitions of > user, user agent, device, and tracking should be moved up to > the start of the first section, or the detailed explanation > of things like "first-party" moved into a later section, so > that the details don't overwhelm the purpose of this document. > > > Cheers, > > Roy T. Fielding <http://roy.gbiv.com/> > Principal Scientist, Adobe Systems <http://adobe.com/enterprise>
Received on Wednesday, 7 March 2012 13:55:25 UTC