Re: [ISSUE-5] What is the definition of tracking?

On Mar 7, 2012, at 8:40 AM, Chris Pedigo wrote:

> You're right, I'd prefer that first parties not be covered at all.  But, I recognize that this group is instead heading down the road of providing carve-outs for first party activities.  As we consider those carve outs, I just want to be sure that the group does not unfairly lump first and third party data collection together.

Clarification: I *don't* think the compliance specification is trending in a direction of treating first parties as a carve-out.  The first vs. third party distinction comes before the discussion of limitations, and the chief limitations only apply to third parties.

> As for "bad precedent," symbolism and shading, please don't mistake policy discussions as non-substantive.  I think it's important to get the definitions and goals correct as they will inform and guide our decisions on technical issues.  Why else would we want to have a definition of tracking?  In that regard, I'd prefer not to wait until the end when the product may be too far beyond repair.

Not everyone wants to define tracking.  I sure don't.

But supposing we do define tracking: the issues we work on should, at least at first, be substantive.  If there's an analytical reason for changing the definitional structure, shoot.  Conflating issues would be a good example.

What I don't want to see (and I don't think you're making here) are arguments about how things need to be re-arranged for the political or optics benefit of a specific constituency.

> Again, I'm committed to working with you on this and we think it could be a useful tool for consumers and publishers alike.  
> 
> 
> 
> -----Original Message-----
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Wednesday, March 07, 2012 11:04 AM
> To: Chris Pedigo
> Cc: JC Cannon; Roy T. Fielding; Tracking Protection Working Group WG
> Subject: Re: [ISSUE-5] What is the definition of tracking?
> 
> If I read your first concern correctly, your objection is to an analytical structure that treats first parties as a carve-out as opposed to never being covered.  While that's not where the documents are now (nor, I think, where they're going), I should hope that concerns about "bad precedent," symbolism, and shading perceptions can hold until the final draft.  There's far too much actual substantive work for us to do.
> 
> Jonathan
> 
> On Mar 7, 2012, at 7:46 AM, Chris Pedigo wrote:
> 
>> My concerns are twofold:
>> 
>> 1) The definition starts with a faulty premise that first and third party data collection and usage are the same.  They are not.  My concern here is that a decision lump first and third parties together would set a bad precedent for future decisions on the technical issues.
>> 
>> 2) As you noted, the definition provides a carve-out for first parties to perform the service "intentionally requested."  "Intentionally requested" can be interpreted to exclude data uses that the user expects but did not request - site optimization, fraud investigation, innovation.  I'm sure there are a host of other uses that would fall under this category, not to mention the uses that we haven't even invented yet.
>> 
>> Roy has noted that this gray area would exist with or without a definition (I think I am summarizing his point accurately).  But, even so, I don't think we should artificially limit first parties in this manner when we're trying to provide control for users over data collection where they have little or no control.  If anything, the continued existence of a gray area would beg the question - why are we defining tracking in the first place?
>> 
>> As I stated before, publishers might find this to be a useful tool and I want to be helpful.  I'm not trying to derail the group here.  So, perhaps it's best to "agree to disagree" and just move on.
>> 
>> 
>> -----Original Message-----
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
>> Sent: Wednesday, March 07, 2012 10:26 AM
>> To: Chris Pedigo
>> Cc: JC Cannon; Roy T. Fielding; Tracking Protection Working Group WG
>> Subject: Re: [ISSUE-5] What is the definition of tracking?
>> 
>> As I read Roy's proposal, it doesn't cover first parties.
>> 
>>> . . . beyond what is necessary to enable:
>>> . . .
>>> 2) the first-party (and third-parties acting as the first-party)
>>>  to provide the service intentionally requested by the user; 
>> 
>>> It allows a first-party service (including its outsourced
>>> contractors) to perform the service intentionally requested
>>> by the user, which may include personalization, analytics,
>>> or social networking as appropriate for that service, since
>>> otherwise a DNT enabled user would be constantly interrupted
>>> by consent dialogs just to do what they had already requested.
>>> A first-party might change their service upon receipt of DNT,
>>> such as by disabling social networking features, but that is
>>> presumed to be governed by the nature of the first-party
>>> service and the privacy options configured directly with
>>> that first-party.
>> 
>> On Mar 7, 2012, at 7:17 AM, Chris Pedigo wrote:
>> 
>>> I agree completely.  There is a fundamental difference between first parties collecting data from a returning visitor and third parties collecting data on users over multiple sites.  Different usages for that data, different business models, different levels of fundamental choices available for the users.  
>>> 
>>> That said, I'm not sure it's worth having this debate.  For one thing, I don't know if we'll ever agree on a definition.  But, more importantly, these issues come into play when drafting the specs of the standard, so we'll just be re-hashing it all over again anyway.
>>> 
>>> -----Original Message-----
>>> From: JC Cannon [mailto:jccannon@microsoft.com] 
>>> Sent: Wednesday, March 07, 2012 9:39 AM
>>> To: Roy T. Fielding; Jonathan Mayer
>>> Cc: Tracking Protection Working Group WG
>>> Subject: RE: [ISSUE-5] What is the definition of tracking?
>>> 
>>> Why are we including returning to the same site as tracking? Firstly, I thought that first-party sites were excluded from DNT obligations other than sharing with third parties. Secondly, it's the user that choses to go to the site so how is that tracking? Without understanding its customers how can companies improve their sites?
>>> 
>>> I would prefer to see us focus on the cross-site aspects of tracking that concerns most people.
>>> 
>>> Thanks,
>>> JC
>>> 
>>> -----Original Message-----
>>> From: Roy T. Fielding [mailto:fielding@gbiv.com] 
>>> Sent: Wednesday, March 07, 2012 6:31 AM
>>> To: Jonathan Mayer
>>> Cc: Tracking Protection Working Group WG
>>> Subject: Re: [ISSUE-5] What is the definition of tracking?
>>> 
>>> On Mar 7, 2012, at 5:54 AM, Jonathan Mayer wrote:
>>> 
>>>> Roy,
>>>> 
>>>> Clarifying question. Does your proposal prohibit:
>>> 
>>>> 1) *collecting* information that *could be* used for correlation of 
>>>> browsing activity,
>>> 
>>> By *collecting*, I assume you mean "receiving in the request".
>>> 
>>> Not directly. It prevents use of what is collected for tracking, correlation, or combining of data and it prevents assigning an identifier for future tracking, except as stated for the limited exemptions in compliance, first-party service, and stuff that has prior consent.
>>> 
>>>> 2) *collecting* information that *is* used for correlation of browsing 
>>>> activity, or
>>> 
>>> It prohibits use or retention for correlation when DNT is on, yes, except as stated for the limited exemptions in compliance, first-party service, and stuff that has prior consent.
>>> 
>>>> 3) *using* information to correlate browsing activity?
>>> 
>>> Yes, when DNT is on there is no correlation allowed.
>>> 
>>>> My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.
>>> 
>>> Note that there is very little that the server can do about receiving data other than not causing it to be set on prior requests.  The client can, of course, clear their cookies or enable private browsing after turning on DNT, if that is a concern.
>>> 
>>> ....Roy
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
> 
> 
> 

Received on Wednesday, 7 March 2012 17:04:51 UTC