Re: Proposals for Compliance issue clean up

Hi Mike - 

Thanks for the clarification.

Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Mike O'Neill <michael.oneill@baycloud.com>
Date:  Monday, November 12, 2012 3:15 PM
To:  Alan Chapell <achapell@chapellassociates.com>
Cc:  <public-tracking@w3.org>
Subject:  RE: Proposals for Compliance issue clean up

> Hi Alan,
>  
> I have no problem (in the DNT case) with reasonable commercial purposes like
> frequency capping, click fraud detection etc., as long as minimum entropy UUID
> were only around for a short period (hours rather than months), not be
> recreated or cloned etc. and solely used for those purposes. What most people
> don’t want is their web history gathered without their consent, and that needs
> persistent or constantly recreated UUIDs. If they were confident their
> non-consent would be strictly honoured, and consent could be easily revoked,
> then I’m sure ultimately most people would not have a problem with OBA.
>  
> Mike
>  
>  
>  
>  
> 
> From: Alan Chapell [mailto:achapell@chapellassociates.com]
> Sent: 12 November 2012 14:54
> To: Mike O'Neill; public-tracking@w3.org
> Cc: ifette@google.com; tlr@w3.org
> Subject: Re: Proposals for Compliance issue clean up
>  
> 
> Good Morning Mike, pls see below…
> 
>  
> 
>  
> 
> From: Mike O'Neill <michael.oneill@baycloud.com>
> Date: Saturday, November 10, 2012 10:40 AM
> To: <public-tracking@w3.org>
> Cc: <ifette@google.com>, <tlr@w3.org>
> Subject: RE: Proposals for Compliance issue clean up
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Sat, 10 Nov 2012 15:41:40 +0000
> 
>  
>> 
>> It has been pointed out to me that my last message may have been too brief to
>> be constructive, for which I apologise.
>>  
>> I was simply offering an opinion, namely that the early decision (to make the
>> compliance spec mean different things to sites receiving DNT:1)  is one of
>> the reasons our process is stuck, which in turn has opened it up to ridicule.
>> My interjection was to what I perceived as an example of this, applying the
>> 1st party rule to redirector hosts.
> 
>  
> 
> Agree completely re: the 1st party and 3rd party distinctions – when taken to
> the extreme – are creating all kinds of issues with the spec. Specifically,
> (and at risk of sounding like a broken record) significant anti-competitive
> issues, a negative impact upon diversity of content choices for Users, and
> (quite ironically) little to no improvement on consumer privacy choices.
> Although given that we haven't done a great job as a group of articulating the
> privacy harms we're trying to address, I suspect this final point may be lost
> on some.
> 
>  
> 
> I may have missed your point re: redirector hosts. What is the issue we're
> trying to get at by pushing for redirector hosts to be treated as 3rd parties?
> 
>  
>> 
>>  
>> I think it also underlies the emotional reaction to debates shown by some,
>> either because they feel disadvantaged by the lack of a level playing field,
>> or they feel that the original conception of DNT as a simple declarative
>> indication of intent has been lost.
>>  
>> I believe the idea was a compromise in order to reach agreement, but that has
>> patently not happened. In fact it has had the opposite effect.
>>  
>> Because only servers accessed in a 3rd party context need to amend their
>> business practices, companies naturally try to ensure their operation is in
>> the other category. This has led to continued debate about how the
>> categories are defined and differentiated  in the TPC and overly complex
>> additions of protocol elements to the TPE. For example, extra qualifiers in
>> the request and the response headers have had to be invented, which Ian
>> pointed out was becoming tedious.
>>  
>> I also think this had made reaching agreement on exemptions more difficult,
>> because DNT has a greater impact on parties that rely on 3rd party elements
>> and do not have the high traffic sites. This fundamental unfairness has led
>> to some inventing ever more exemption categories to get their operations off
>> the hook.
>>  
>> My opinion is that there should be no difference in the compliance spec
>> between 1st and 3rd parties, the DNT:1 signal should mean UUIDs must not be
>> allocated or used without consent, and we should put more effort in designing
>> an effective and transparent exception protocol. As has been pointed out many
>> times this distinction cannot apply in Europe anyway. The reason most of us
>> are here is to respond to people’s unease about privacy and loss of trust in
>> the web, and we should primarily address that.
> 
>  
> 
> As I've said, I'm increasingly uncomfortable with a complete first party
> immunity to the DNT spec. But outside of trying to reign this notion in a bit,
> I've been unable to come up with a solution that would not result in
> accusations that I'm trying to blow up the whole process here.
> 
>  
> 
> Can you sketch out your idea a bit more? Are you advocating that items like
> frequency capping would be covered under Permitted Uses? Or are you saying
> that the storage of ANY UDID (other than fraud, security, etc) post enactment
> of DNT would be off limits?
> 
>  
>> 
>>  
>> Mike
>>  
>>  
>>  
>> 
>> From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
>> Sent: 10 November 2012 09:20
>> To: ifette@google.com
>> Cc: public-tracking@w3.org
>> Subject: RE: Proposals for Compliance issue clean up
>>  
>> Ian,
>>  
>> Redirections are invisible to users so we cannot give the parties that host
>> them carte blanche to ignore DNT. The 1st party/ 3rd party distinction is
>> starting to make this whole process look ridiculous.
>>  
>> Mike
>>  
>> From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
>> Sent: 09 November 2012 21:07
>> To: Aleecia M. McDonald
>> Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)
>> Subject: Re: Proposals for Compliance issue clean up
>>  
>> 
>> Aleecia, there was proposed text as an alternative to ISSUE-97/ACTION/196.
>> See my work on ACTION-303 and proposals on that thread.
>> http://www.w3.org/2011/tracking-protection/track/actions/303
>> 
>>  
>> 
>> In particular, I am not satisfied with redirects being treated as third
>> parties and would object to that concept.
>> 
>>  
>> 
>> -Ian
>> 
>>  
>> 
>> On Fri, Nov 9, 2012 at 12:04 PM, Aleecia M. McDonald <aleecia@aleecia.com>
>> wrote:
>> Here are places we might have straight-forward decisions. If there are no
>> responses within a week (that is, by Friday 16 November,) we will adopt the
>> proposals below.
>> 
>> 
>> For issue-97 (Re-direction, shortened URLs, click analytics -- what kind of
>> tracking is this?)  with action-196, we have text with no counter proposal.
>> Unless someone volunteers to take an action to write opposing text, we will
>> close this with the action-196 text.
>>         PROPOSED: We adopt the text from action-196,
>> http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html
>> 
>> For issue-60 (Will a recipient know if it itself is a 1st or 3rd party?) we
>> had a meeting of the minds
>> (http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0129.html) but
>> did not close the issue. We have support for 3.5.2 Option 2,
>> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#de
>> f-first-third-parties-opt-2, with one of the authors of 3.5.1 Option 1,
>> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#de
>> f-first-third-parties-opt-2 accepting Option 2. There was no sustained
>> objection against Option 2 at that time. Let us find out if there is
>> remaining disagreement.
>>         PROPOSED: We adopt 3.5.2 Option 2,
>> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#de
>> f-first-third-parties-opt-2
>> 
>> For action-306, we have a proposed definition with accompanying non-normative
>> examples
>>         PROPOSED: We adopt the text from action-306 to define declared data,
>> to be added to the definitions in the Compliance document,
>> http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0296.html
>>         PROPOSED: We look for volunteers to take an action to write text
>> explaining when and how declared data is relevant (See the note in 6.1.2.3,
>> http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#fi
>> rst-party-data) to address issue-64
>> 
>>         Aleecia
>>