RE: [ISSUE-5] What is the definition of tracking? from JC Cannon on 2012-03-07 (public-tracking@w3.org from March 2012)

From: JC Cannon <jccannon@microsoft.com>
Date: Wed, 7 Mar 2012 16:50:55 +0000
To: Jonathan Mayer <jmayer@stanford.edu>, Chris Pedigo <CPedigo@online-publishers.org>
CC: "Roy T. Fielding" <fielding@gbiv.com>, Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <DB4282D9ADFE2A4EA9D1C0FB54BC3BD76E52336A@TK5EX14MBXC139.redmond.corp.microsoft.>

Here is text from an earlier email from Roy:

> Here is my proposed replacement text:
>
> =========
>
> Tracking is defined as following or identifying a user, user agent, or
> device across multiple visits to a site (time) or across multiple
> sites (space).

JC

-----Original Message-----
From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Wednesday, March 07, 2012 7:26 AM
To: Chris Pedigo
Cc: JC Cannon; Roy T. Fielding; Tracking Protection Working Group WG
Subject: Re: [ISSUE-5] What is the definition of tracking?

As I read Roy's proposal, it doesn't cover first parties.

> . . . beyond what is necessary to enable:
> . . .
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user;

> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested by the
> user, which may include personalization, analytics, or social
> networking as appropriate for that service, since otherwise a DNT
> enabled user would be constantly interrupted by consent dialogs just
> to do what they had already requested.
> A first-party might change their service upon receipt of DNT, such as
> by disabling social networking features, but that is presumed to be
> governed by the nature of the first-party service and the privacy
> options configured directly with that first-party.

On Mar 7, 2012, at 7:17 AM, Chris Pedigo wrote:

> I agree completely.  There is a fundamental difference between first parties collecting data from a returning visitor and third parties collecting data on users over multiple sites.  Different usages for that data, different business models, different levels of fundamental choices available for the users.
>
> That said, I'm not sure it's worth having this debate.  For one thing, I don't know if we'll ever agree on a definition.  But, more importantly, these issues come into play when drafting the specs of the standard, so we'll just be re-hashing it all over again anyway.
>
> -----Original Message-----
> From: JC Cannon [mailto:jccannon@microsoft.com]<mailto:[mailto:jccannon@microsoft.com]>
> Sent: Wednesday, March 07, 2012 9:39 AM
> To: Roy T. Fielding; Jonathan Mayer
> Cc: Tracking Protection Working Group WG
> Subject: RE: [ISSUE-5] What is the definition of tracking?
>
> Why are we including returning to the same site as tracking? Firstly, I thought that first-party sites were excluded from DNT obligations other than sharing with third parties. Secondly, it's the user that choses to go to the site so how is that tracking? Without understanding its customers how can companies improve their sites?
>
> I would prefer to see us focus on the cross-site aspects of tracking that concerns most people.
>
> Thanks,
> JC
>
> -----Original Message-----
> From: Roy T. Fielding [mailto:fielding@gbiv.com]<mailto:[mailto:fielding@gbiv.com]>
> Sent: Wednesday, March 07, 2012 6:31 AM
> To: Jonathan Mayer
> Cc: Tracking Protection Working Group WG
> Subject: Re: [ISSUE-5] What is the definition of tracking?
>
> On Mar 7, 2012, at 5:54 AM, Jonathan Mayer wrote:
>
>> Roy,
>>
>> Clarifying question. Does your proposal prohibit:
>
>> 1) *collecting* information that *could be* used for correlation of
>> browsing activity,
>
> By *collecting*, I assume you mean "receiving in the request".
>
> Not directly. It prevents use of what is collected for tracking, correlation, or combining of data and it prevents assigning an identifier for future tracking, except as stated for the limited exemptions in compliance, first-party service, and stuff that has prior consent.
>
>> 2) *collecting* information that *is* used for correlation of
>> browsing activity, or
>
> It prohibits use or retention for correlation when DNT is on, yes, except as stated for the limited exemptions in compliance, first-party service, and stuff that has prior consent.
>
>> 3) *using* information to correlate browsing activity?
>
> Yes, when DNT is on there is no correlation allowed.
>
>> My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.
>
> Note that there is very little that the server can do about receiving data other than not causing it to be set on prior requests.  The client can, of course, clear their cookies or enable private browsing after turning on DNT, if that is a concern.
>
> ....Roy
>
>
>
>
>
>
>

Received on Wednesday, 7 March 2012 16:51:34 UTC