Re: [ISSUE-5] What is the definition of tracking?

Substantively, then, I think we're *very* close.

I (and, as I understand it, quite a few others in the group) favor a blanket third-party collection/retention/use limitation, with an exception for information that could not be used to correlate browsing activity and an exception for protocol information.  (There are, of course, some fine details we might not agree on.  For example: What does a server have to do if the client sends an old ID cookie?  A "hi, here's my SSN" cookie?  What does a server have to do over time with protocol information?)

That said, as others have expressed, I'd prefer to avoid the quagmire of defining the word "tracking."  The topic has repeatedly proven a waste of the group's time.  I see no need for us to reach consensus on magic words; we need consensus on substance. 

One last point.  I thoroughly disagree with what you said here:

> One thing I am quite certain of is that the WG does not have even
> the remotest sense of what "we're trying to address", and that goes
> for both industry and advocates.  It is remarkable just how far both
> sides have been unwilling to address it with actual text, even on
> their own websites.

Many stakeholders know exactly what they want Do Not Track to do.  I (and others), in fact, have advocated the substance of what you propose for over a year.  Example: http://tools.ietf.org/html/draft-mayer-do-not-track-00#section-9.2

Jonathan

On Mar 7, 2012, at 6:30 AM, Roy T. Fielding wrote:

> On Mar 7, 2012, at 5:54 AM, Jonathan Mayer wrote:
> 
>> Roy,
>> 
>> Clarifying question. Does your proposal prohibit:
> 
>> 1) *collecting* information that *could be* used for correlation of browsing activity,
> 
> By *collecting*, I assume you mean "receiving in the request".
> 
> Not directly. It prevents use of what is collected for tracking,
> correlation, or combining of data and it prevents assigning an
> identifier for future tracking, except as stated for the limited
> exemptions in compliance, first-party service, and stuff that
> has prior consent.
> 
>> 2) *collecting* information that *is* used for correlation of browsing activity, or
> 
> It prohibits use or retention for correlation when DNT is on, yes,
> except as stated for the limited exemptions in compliance,
> first-party service, and stuff that has prior consent.
> 
>> 3) *using* information to correlate browsing activity?
> 
> Yes, when DNT is on there is no correlation allowed.
> 
>> My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.
> 
> Note that there is very little that the server can do about
> receiving data other than not causing it to be set on prior
> requests.  The client can, of course, clear their cookies or
> enable private browsing after turning on DNT, if that is a
> concern.
> 
> ....Roy
> 
> 

Received on Wednesday, 7 March 2012 15:05:34 UTC