- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 14 Mar 2012 03:22:13 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
On Mar 14, 2012, at 1:09 AM, Jonathan Mayer wrote: > I think there are two lines of thinking to unpack here. > > 1) What does Do Not Track do to third-party services that provide fraud prevention and security functionality for first-party websites (e.g. 41st Parameter, BlueCava)? > > My proposal isn't about those services. At present they get the same treatment as any other third party; in many cases they'll qualify for the outsourcing exception. If a stakeholder wants to propose a special exception for those services, we could discuss it. They would qualify for the exemption for fraud prevention, assuming the data use and retention is so limited. I did not consider them under the outsourcing exemption because siloing their data per first-party would be unusual. > 2) How can Do Not Track accommodate fraud prevention and security for pure third-party services without being overly prescriptive? > > My proposed text gives quite broad latitude to third party websites. What is "reasonable" will vary by industry and company. I agree that guiding examples would be valuable. No, my point was that DNT cannot have an impact on fraud control, period. If it did, then the presence of DNT:1 would be indicative of "reasonable grounds to believe the user or user agent is presently attempting to commit fraud". In any case, the nature of data collection for fraud prevention is to collect a lot of data on non-fraudulent behavior, so that when an anomalous set of behavior is encountered the "alarm" is triggered. The premise on which your two operative texts are based is that the fraud control engine can determine "reasonable grounds" without first collecting or using data about the user agent. It does not work that way (and I am not just talking about advertising fraud). I am not saying this isn't a privacy concern. I am saying it won't be addressed by DNT because lessening fraud control on the basis of a signal received from the client is simply not a viable option. I would encourage the regulators to find a solution to this concern outside of DNT, since it has nothing to do with preferences/consent. ....Roy
Received on Wednesday, 14 March 2012 10:22:45 UTC