Re: Allowed uses of protocol data in first N weeks (ACTION-190)

There is also the practical matter that we don't have a way for
the server receiving a request to know whether it is the first
or third party and we don't have a definition of tracking based
on data use, which means any inline image placed on some other
site (with or without the owner's permission) is going to result
in a log record that is currently subject to DNT, even if the
server believes it is a first party and doesn't perform any
kind of tracking.

....Roy

On May 10, 2012, at 9:27 AM, Ian Fette (イアンフェッティ) wrote:

> Replying to both you and Shane here. 
> 
> I don't think this puts any restrictions on first parties whatsoever, if it does please let me know what restrictions it places and I'm happy to re-word so as to avoid that.
> 
> This was really meant as a "If you only log data for six weeks, unless you do this one thing (serving OBA ads) you don't have to worry about anything, you're compliant with DNT. If you log data for more than six weeks, then you have to deal with all of the DNT stuff, have fun."
> 
> It's not meant to restrict any rights a party might otherwise be granted under the spec, it's merely trying to provide a fast-path for people who only keep data for a short amount of time, as well as allowing for a bit of flexibility for people who do keep data longer to be able to implement this in a way that won't necessitate totally re-thinking the way their infrastructure works.
> 
> -Ian
> 
> On Thu, May 10, 2012 at 7:20 AM, SULLIVAN, BRYAN L <bs3131@att.com> wrote:
> I agree, the assertion was clearly out of the blue for many of us. The whole context of the permitted use discussion is limited by 3rd party status, and the protocol logging concerns expressed are all in the context of preventing ability to pursue non-permitted uses. So logging restrictions should not apply to 1st parties at all.
> 
>  
> 
> Thanks,
> 
> Bryan Sullivan
> 
>  
> 
> From: Chris Pedigo [mailto:CPedigo@online-publishers.org] 
> Sent: Thursday, May 10, 2012 4:20 AM
> To: Shane Wiley
> Cc: ifette@google.com; John Simpson; TOUBIANA, VINCENT (VINCENT); public-tracking@w3.org Group WG
> 
> 
> Subject: Re: Allowed uses of protocol data in first N weeks (ACTION-190)
> 
>  
> 
> Based on the IRC comments at end of yesterday's call, many of us were surprised that you envision this restriction applying to first parties.  I think we were surprised because the restriction on first parties not sharing data with third parties assumes that first parties will be able to keep data. Applying a 6-week limit on first parties would directly contradict the decision already reached by the group to allow first parties to retain data so long as they don't share it. 
> 
> 
> 
> 
> 
> 
> 
>  
> 
> 
> On May 9, 2012, at 7:57 PM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:
> 
> Ian,
> 
>  
> 
> Could you please explain why you feel this would be applied to 1st parties?  I thought we agreed as a working group that DNT was not applicable to 1st parties (outside of inability to pass data to 3rd parties to close that loophole)?  Are you suggesting your proposed text applies to all log data regardless of DNT signal status?
> 
>  
> 
> Thank you,
> 
> - Shane
> 
>  
> 
> From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com] 
> Sent: Wednesday, May 09, 2012 4:47 PM
> To: John Simpson
> Cc: TOUBIANA, VINCENT (VINCENT); public-tracking@w3.org Group WG
> Subject: Re: Allowed uses of protocol data in first N weeks (ACTION-190)
> 
>  
> 
> Yes
> 
> On Wed, May 9, 2012 at 4:25 PM, John Simpson <john@consumerwatchdog.org> wrote:
> 
> Ian,
> 
>  
> 
> This morning's call left me confused.  Does the text proposed by Action-190 apply to both 1st and 3rd parties?
> 
>  
> 
> Thank you,
> 
> John
> 
>  
> 
>  
> 
> On May 9, 2012, at 3:57 PM, Ian Fette (イアンフェッティ) wrote:
> 
> 
> 
> 
> 
> On Wed, May 9, 2012 at 3:53 PM, TOUBIANA, VINCENT (VINCENT) <Vincent.Toubiana@alcatel-lucent.com> wrote:
> 
> I believe I should elaborate why I think the current text is too vague. I'm mostly concerned by the following sentence:
> 
> 
> "Similarly, a data collector MUST NOT use the data to build any profile, or associate the data to any profile, of a user used for purposes other than would be allowed outside of the the six week period."
> 
> Why not simply say "Similarly, a data collector MUST NOT use the data for purposes other than those allowed outside of the the six week period." ?
> It seems to me that the examples provided in the rest of the text (see bellow) as well as those mentioned during the phone conference today are actually covered by the permitted uses.
> 
>  
> 
>  
> 
> Playing devil's advocate -- If you say that, then what is the difference between before and after the six week period? I'm not sure what then this exception buys you. I'm not trying to create a back door for some set of nefarious uses, but I'm trying to say instead "Look, if you're not doing anything strange then this should make it trivial for you to comply with this spec if you only retain logs data for six weeks." That covers a lot of people and a lot of legitimate, common, non-scary uses. If you're keeping data for a longer period of time, then there's some burden placed on you as a result.
> 
>  
> 
> "As examples, a data collector MAY use the raw data within a six week period to debug their system, a data collector MAY use the raw data within the six
> 
> week period to build a profile of a user fraudulently or maliciously accessing the system for purposes such as blocking access to the system by that use."
> 
> If the logs can only be used for the "permitted uses" and it's just a question of storing the raw data for six weeks, then I have no objection with this proposal.
> 
> Thank you,
> 
> Vincent
> 
> 
> 
> From: イアンフェッティ <ifette@google.com>
> Date: Wed, 2 May 2012 08:47:53 -0700
> Message-ID: <CAF4kx8fAu5mcN6JCaZ9WHDQg9Kqtpnko7zMxobySVS-5g5xvBA@mail.gmail.com>
> To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
> 
> 
> On last week's call, I took an action to write a proposal for protocol data
> in the first N weeks (ACTION-190 and ISSUE-142).
> 
> My proposed text would be as follows, comments welcome:
> 
> Protocol data, meaning data that is transmitted by a user agent, such as a
> web browser, in the process of requesting content from a provider,
> explicitly including items such as IP addresses, cookies, and request URIs,
> MAY be stored for a period of 6 weeks in a form that might not otherwise
> satisfy the requirements of this specification. For instance, the data may
> not yet be reduced to the subset of information allowed to be retained for
> permitted uses (such as fraud detection), and technical controls limiting
> access to the data for permitted uses may not be in place on things like
> raw logs data sitting on servers waiting for processing and aggregation
> into a centralized logs storage service.
> 
> Within this six week period, a data collector MUST NOT share data with
> other parties in a manner that would be prohibited outside of the six week
> period. Similarly, a data collector MUST NOT use the data to build any
> profile, or associate the data to any profile, of a user used for purposes
> other than would be allowed outside of the the six week period. As
> examples, a data collector MAY use the raw data within a six week period to
> debug their system, a data collector MAY use the raw data within the six
> week period to build a profile of a user fraudulently or maliciously
> accessing the system for purposes such as blocking access to the system by
> that user, but the data collector MUST NOT build a profile to serve
> targeted advertisements based on the user's past six weeks of browsing
> activity.
> 
> After the six week period has passed, only the subset of data necessary to
> accomplish the permitted exceptions in this specification may be retained,
> and the data must be controlled in such a way that only access to the data
> for these permitted exceptions is allowed.
> 
>  
> 
>  
> 
> ----------
> 
> John M. Simpson
> 
> Consumer Advocate
> 
> Consumer Watchdog
> 
> 1750 Ocean Park Blvd. ,Suite 200
> 
> Santa Monica, CA,90405
> 
> Tel: 310-392-7041
> 
> Cell: 310-292-1902
> 
> www.ConsumerWatchdog.org
> 
> john@consumerwatchdog.org
> 
>  
> 
>  
> 
> 

Received on Thursday, 10 May 2012 18:55:11 UTC