- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 7 Mar 2012 12:16:50 -0800
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-Id: <BEAFA9AF-E676-4F86-B222-68C0A5C6C424@gbiv.com>
On Mar 7, 2012, at 7:04 AM, Jonathan Mayer wrote: > Substantively, then, I think we're *very* close. > > I (and, as I understand it, quite a few others in the group) favor a blanket third-party collection/retention/use limitation, with an exception for information that could not be used to correlate browsing activity and an exception for protocol information. (There are, of course, some fine details we might not agree on. For example: What does a server have to do if the client sends an old ID cookie? A "hi, here's my SSN" cookie? What does a server have to do over time with protocol information?) Please understand that those aren't exceptions. They are contradictions. We cannot protect against fraud and simultaneously blanket-prohibit collection. We can prohibit use for tracking and retention beyond what is necessary for the fraud/legal/security exemptions. > That said, as others have expressed, I'd prefer to avoid the quagmire of defining the word "tracking." The topic has repeatedly proven a waste of the group's time. I see no need for us to reach consensus on magic words; we need consensus on substance. Given that the protocol is "Do Not Track", this issue has more substance then the entire rest of the compliance document. > One last point. I thoroughly disagree with what you said here: > >> One thing I am quite certain of is that the WG does not have even >> the remotest sense of what "we're trying to address", and that goes >> for both industry and advocates. It is remarkable just how far both >> sides have been unwilling to address it with actual text, even on >> their own websites. > > Many stakeholders know exactly what they want Do Not Track to do. I (and others), in fact, have advocated the substance of what you propose for over a year. Example: http://tools.ietf.org/html/draft-mayer-do-not-track-00#section-9.2 You are neither "we" nor the "WG", so it doesn't apply to you, nor to "many stakeholders" in isolation, but rather on what we have agreed to as a group. The comment I made at the IETF meeting in Prague is that your draft's definition of tracking is unusable because every server on the planet does collection, retention, and use of data related to the request and response. Furthermore, scoping tracking that wide does not even remotely correspond to the English meaning of that term. The goal of my definition is to find a middle ground between folks who think they can deny data collection (even though the server must receive the request in order to process it and *will* retain that information to combat fraud and security attacks) and those who think the discussion must be limited to cross-site tracking by third-parties who do not silo by first-party, while at the same time providing a solution that will address the consent issue that has been demanded by regulators for all parties (not just third parties). What you should be asking is whether the definition is sufficient to address the privacy and consent issues that have been raised and discovered by your research, not whether it matches your current or past suggested solutions regarding data collection. ....Roy
Received on Wednesday, 7 March 2012 20:17:23 UTC