Re: Logged-In Exception (ISSUE-65) from Jonathan Mayer on 2012-03-19 (public-tracking@w3.org from March 2012)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Mon, 19 Mar 2012 00:17:55 -0700
To: JC Cannon <jccannon@microsoft.com>
Cc: Steven Vine <svine@pulsepoint.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <A1EB6D15-BF4B-4793-BB61-0137E3E52B2F@stanford.edu>
JC is quite right to point out that the limits imposed by a logged-in exception need not be the same as those imposed by other exceptions.  Some options include:

a) The same as a web-wide DNT: 0 exception.  (This is what I've heard most frequently).
b) An exception that prohibits profiling use of information from the visit, but allows any other use of first-party information or information from the visit.  (I think this might be what JC is proposing).
c) An exception that allows use of first-party information but prohibits logging of information about the visit.
d) No exception.

As for the notion that not providing a logged-in exception "penalize[s] users," I don't follow.  The only decision points on the table are:

1) Are users guaranteed the choice to both save a login and enjoy the benefits of DNT: 1?  (I am not aware of any large first-party website that presently provides logged-in users a comprehensive choice about third-party personalization, let alone data collection.  It seems fair to assume that, in the absence of DNT, users will continue to not have this choice.)
2) If we are going to guarantee users such a choice, are we going to require them to use some special choice mechanism above and beyond ordinary DNT?

On Mar 18, 2012, at 11:55 PM, JC Cannon wrote:

> Logged in state is different from DNT:0. I don’t want to see us penalize users with who have willing created a relationship with companies and express it by logging in. More responses below.
>  
> JC
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Sunday, March 18, 2012 11:21 AM
> To: Steven Vine
> Cc: JC Cannon; Rigo Wenning; public-tracking@w3.org
> Subject: Re: Logged-In Exception (ISSUE-65)
>  
> I think there are three points in here.
>  
> 1) Would the logged-in exception be a de facto site-specific exception?
>  
> Yes, and even broader: the logged-in exception would be a de facto web-wide exception.
> [JC] this is not true. The logged-in scenario is not the same as an exception. There is no profiling involved.
>  
> 2) Would the logged-in exception allow retargeting?
>  
> Yes.  It would allow just about any use of the first party's data - profile-based targeting, retargeting, widget personalization, etc.
> [JC] It would only apply to a profile that was previously collected and would not permit updating of the profile.
>  
> 3) Is this "targeting without tracking"?
>  
> I don't want to pry open the worthless "What is tracking?" debate, beyond noting that many participants would consider collection-without-logging to impose privacy risks that this group should address.
> [JC] It is personalization without tracking.
>  
> On Mar 15, 2012, at 5:55 PM, Steven Vine wrote:
> 
> 
> Isn’t this function just targeting without tracking? Why not then allow ad retargeting if the user has logged in at the first party site that is doing retargeting:
> 
> To play on JC’s scenario: User logs into Amazon and navigates to CNN.com to read an article. The user is able to see an ad based on their Amazon account data. However, Amazon should not log the fact that the user has viewed the article or even gone to CNN unless the user clicks on the Amazon ad.
> 
> And if this is allowed wouldn’t this kind of retargeting be ok for any first party who gets a site-specific exception?
> 
> Steve
> 
>  
> On 3/15/12 7:46 PM, "JC Cannon" <jccannon@microsoft.com> wrote:
> 
> Now we just need to get the others to agree.. :)
> 
> JC
> 
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org]
> Sent: Thursday, March 15, 2012 2:39 AM
> To: public-tracking@w3.org
> Cc: JC Cannon
> Subject: Re: Logged-In Exception (ISSUE-65)
> 
> JC,
> 
> On Wednesday 14 March 2012 16:28:27 JC Cannon wrote:
> > Specific scenario: User logs into FB and navigates to CNN.com to read an
> > article. The user is able to see the FB friends that liked the article..
> > However, FB should not log the fact that the user has viewed the article or
> > even gone to CNN unless the user clicks on the FB Like button.
> >
> > If feel this type of behavior would be expected and I personally like this
> > type of feature.
> 
> This was the point I was trying to make in my earlier email (and use case).
> How come we agree on things? :)
> 
> Rigo
> 
> 
> 
> 
> 
> Contextweb and Datran Media have merged. We are now PulsePoint! This is to alert you that my email address has changed to the pulsepoint.com domain reflecting our new brand. Please take a moment to update your address book accordingly.
Received on Monday, 19 March 2012 07:18:28 UTC