- From: Dobbs, Brooks <Brooks.Dobbs@kbmg.com>
- Date: Thu, 8 Nov 2012 15:30:49 +0000
- To: David Singer <singer@apple.com>, David Wainberg <david@networkadvertising.org>
- CC: "public-tracking@w3.org WG" <public-tracking@w3.org>
Just as a point of clarification here I am noticing some language I believe to be technically incorrect entering into the discussion. To be clear - "short term collection" is NOT an exception; it is a permitted use. This actually highlights another issue. For consistency we may need to change the language around user granted "exceptions" because they aren't really exceptions. An exception would be a special dispensation to process a DNT: 1 signal differently than would otherwise be allowed. Alternatively a UGE will change the UA's rendering of the DNT signal to DNT: 0 for some set of user granted domains. When those sites receive DNT: 0 they aren't operating under an exception to a DNT: 1 condition, they are operating under DNT: 0. Again, compliance is defined around what you do when you get a DNT: 1. Actually getting DNT: 0 is not an exception to DNT: 1, as DNT: 1 is per the spec not a default. UGE sites never get DNT: 1 which means they aren't looking for an exception for DNT: 1. They only need to follow any specific rules for DNT: 0. Out of Band Consent might be an "exception", because the site actually receives DNT:1, but UGEs aren't an exception for DNT:1; they are the "rule" for DNT: 0. -Brooks -- Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the Wunderman Network (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com brooks.dobbs@kbmg.com This email including attachments may contain confidential information. If you are not the intended recipient, do not copy, distribute or act on it. Instead, notify the sender immediately and delete the message. On 11/8/12 9:24 AM, "David Singer" <singer@apple.com> wrote: >Hi David > > >On Nov 8, 2012, at 15:11 , David Wainberg <david@networkadvertising.org> >wrote: > >> Hi David, >> >> I realize you've proposed non-normative. Consider this largely directed >>at the issue in general. > >That was the action, yes, after discussion in Amsterdam. > >> >> <broken record> >> We have not defined tracking. > >well, much to my puzzlement I have offered a definition (ages ago), that >sought to 'limit the playing field'. That is, I tried to say "if you are >outside this, you are not tracking and hence not our concern" rather than >saying "if you are inside this definition, you are tracking". There was >some pushback before I clarified this. I think it helps both us and the >community to have such a 'gateway' at the front the spec. > >It is linked from this thread ><http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0009.html> > > >> So how then are we to identify sites that perform no tracking? At best >>we might allow sites to say that they believe they are not subject to >>any requirements of the standard. But why wouldn't they be unless they >>are collecting and using no data at all? > >That's certainly one, easy, case. The most likely, I think, is that they >keep short-term logs, so the 'third-party with the short-term raw data >retention exception' is the most likely case by far. > >> Is that what this is for? But surely these sites collect server logs >>and such that contain information about users' activity across >>unaffiliated websites, and is therefore subject to the same risks or >>harms group members have ascribed to the same data in the hands of third >>party advertising companies. > >Yes, if they keep raw data indefinitely, or cooked data in which users >can be identified, they are not 'simple non-tracking sites', alas. > >I know many sites don't engage in 'deliberate' tracking, i.e. the reason >that they keep data is not a priori to keep records about people. But a >loophole that says "it's OK to have all the ingredients to make X, as >long as you don't actually make X or allow the ingredients to be accessed >by someone else" is not a great one to leave open (in any area). Ideas >are welcome. > >Lacking a better idea, the best I can see is '3' for non-logging sites, >'3 + short-term raw-data' for logging sites. > >> </broken record> >> >> -David >> >> >> On 11/7/12 12:35 PM, David Singer wrote: >>> (The issue asks for normative text, the action for non-normative, this >>>is non-normative). We need to tell sites that basically are not in the >>>tracking business what they need to doŠ >>> >>> >>> >>> >>> There are circumstances in which sites will appear in as third parties >>>in a transaction, but those sites perform little or no tracking. Such >>>sites might include those providing libraries of resources, such as >>>scripts, style-sheets, or images, or sites providing content intended >>>to be 'mashed up' into other sites. Unfortunately, it is not possible >>>to distinguish, among the sites that do not implement Do Not Track, >>>those that track but do not (yet) implement DNT, and sites that do not >>>track. >>> >>> For this reason, it is recommended that these non-tracking sites >>>implement a static well-known resource and/or a static DNT response >>>header, indicating their status. The recommended status is '3' (fully >>>third-party compliant, with no qualifiers and no permissions claimed) >>>or '3s' (third party, claiming only the short-term logging permission). >>> If logging is performed, then complying with the requirements for >>>short-term logging may be necessary, to be compliant under these >>>specifications. >>> >>> >>> David Singer >>> Multimedia and Software Standards, Apple Inc. >>> >>> >> > >David Singer >Multimedia and Software Standards, Apple Inc. > >
Received on Thursday, 8 November 2012 15:31:23 UTC