RE: [ISSUE-5] What is the definition of tracking?

I have a request.  To me, 'collection' is synonymous to 'retention' and I automatically translate the 1st into the latter.  From a lot of responses over the last few months (not necessarily on this thread), I think many others have a hard time separating these two terms as well.  However, usually when Jonathon uses the term 'collection' he is not referring to 'retention', but rather the actual request that goes over the wire, and I quickly get confused.  Jonathon, any chance you can use a different word (transmission perhaps) to refer to the request?  

-----Original Message-----
From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
Sent: Wednesday, March 07, 2012 6:55 AM
To: Roy T. Fielding
Cc: Tracking Protection Working Group WG
Subject: Re: [ISSUE-5] What is the definition of tracking?

Roy,

Clarifying question. Does your proposal prohibit:

1) *collecting* information that *could be* used for correlation of browsing activity,
2) *collecting* information that *is* used for correlation of browsing activity, or
3) *using* information to correlate browsing activity?

My initial read was #1.  But on a re-read and in follow-on discussion, there seem to be suggestions of #2 and #3.

Thanks,
Jonathan

On Mar 4, 2012, at 3:36 PM, Roy T. Fielding wrote:

> Color me frustrated.  The definition for tracking provided in the 
> Compliance document is not distinguishable from any request to a 
> third-party site while rendering a page, nor does it reflect what a 
> common user's expectation would be for that term, nor does it reflect 
> any of the regulatory descriptions of the term.
> 
> Here is the current definition:
> =========
>  3.7 Tracking
> 
>  Tracking is the collection or use of user data via either a  unique 
> identifier or a correlated set of data points being  used to 
> approximate a unique identifier, in a context other
>  than "first party" as defined in this document. This includes:  			
> 
>   * a party collecting data across multiple websites,
>     even if it is a first party in one or more (but not all)
>     of the multiple contexts
> 
>   * a third party collecting data on a given website
> 
>   * a first party sharing user data collected from a DNT-on
>     user with third parties "after the fact".
> 
>  Examples of tracking use cases include:
> 
>   * personalized advertising
>   * cross-site analytics or market research that has not been de-identified
>   * automatic preference sharing by social applications
> 
> =========
> 
> The WG needs a definition that only applies to the act of tracking, 
> since otherwise the entire Web (every image, CDN, stylesheet, etc.) is 
> a false positive.  The WG needs a definition that is specific and 
> consistent with user expectations, since otherwise "allow tracking"
> fails as a mechanism for consent.
> 
> Here is my proposed replacement text:
> 
> =========
> 
> Tracking is defined as following or identifying a user, user agent, or 
> device across multiple visits to a site (time) or across multiple 
> sites (space).
> 
> Mechanisms for performing tracking include but are not limited to:
> * assigning a unique identifier to the user, user agent, or device  
> such that it will be conveyed back to the server on future visits; * 
> personalizing references or referral information such that they will  
> convey the user, user agent, or device identity to other sites; * 
> correlating data provided in the request with identifying data  
> collected from past requests or obtained from a third party; or, * 
> combining data provided in the request with de-identified data  
> collected or obtained from past requests in order to re-identify  that 
> data or otherwise associate it with the user, user agent,  or device.
> 
> A preference of "Do Not Track" means that the user does not want 
> tracking to be engaged for this request, including any mechanism for 
> performing tracking, any use of data retained from prior tracking, and 
> any retention or sharing of data from this request for the purpose of 
> future tracking, beyond what is necessary to enable:
> 1) the limited exemptions defined in section XX;
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user; and
> 3) other services for which the user has provided prior,
>    specific, and informed consent.
> 
> =========
> 
> I believe this new definition of tracking and the corresponding 
> definition of "Do Not Track" will allow us to move beyond the 
> arguments over broad exemptions and instead focus on transparency and 
> individual control.  It allows the user to clearly state that they 
> don't want tracking outside the first-party context and don't want any 
> of the data retention/sharing effects of tracking.
> 
> The tracking status resource can convey exactly what tracking is 
> performed by a site, if any, for a given resource and DNT value, 
> including what limited exemptions are applicable.  Users (through user 
> agent choice or configuration) can decide what services to use, or 
> avoid, based on that transparency and not just a single on/off bit.
> 
> It separates the act of tracking from the mechanisms for doing 
> tracking and the kinds of data retained from tracking.  The former is 
> far easier to define in general, and the latter two will change over 
> time as technologies change.
> 
> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested by the 
> user, which may include personalization, analytics, or social 
> networking as appropriate for that service, since otherwise a DNT 
> enabled user would be constantly interrupted by consent dialogs just 
> to do what they had already requested.
> A first-party might change their service upon receipt of DNT, such as 
> by disabling social networking features, but that is presumed to be 
> governed by the nature of the first-party service and the privacy 
> options configured directly with that first-party.
> 
> It also recognizes that the user can provide prior consent for some 
> services that will override the DNT signal, via mechanisms outside the 
> scope of this standard, such as for paid audience survey tracking or 
> content-by-subscription.
> Such an override, if active for the user, would be reflected in the 
> tracking status response.
> 
> I would like to see this new text as at least an option in the 
> upcoming compliance WD.  Also, IMO, the definitions of user, user 
> agent, device, and tracking should be moved up to the start of the 
> first section, or the detailed explanation of things like 
> "first-party" moved into a later section, so that the details don't 
> overwhelm the purpose of this document.
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>

Received on Wednesday, 7 March 2012 18:17:49 UTC