- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Mon, 1 Oct 2012 03:42:04 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>, John Simpson <john@consumerwatchdog.org>
- CC: "Aleecia M. McDonald" <aleecia@aleecia.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <63294A1959410048A33AEE161379C802747DC9C3DC@SP2-EX07VS02.ds.corp.yahoo.com>
Jonathan, I believe there are three paths being discussed: 1. Provide a timeframe in which data can be minimized in preparation for permitted uses (6 weeks) 2. Be silent on timeframe as the core issue is restriction to permitted uses and data minimization must have been achieved prior to use (no timeframe needed) 3. #1 + highlighting what cannot be done in that initial time period I’m personally somewhere between #1 and #2. I believe #3 over complicates the situation in that as long as data is never used for anything but a permitted use, then enumerating those things that can NOT be done in that timeframe overly complicates the situation. - Shane From: Jonathan Mayer [mailto:jmayer@stanford.edu] Sent: Monday, October 01, 2012 5:57 AM To: John Simpson Cc: Aleecia M. McDonald; public-tracking@w3.org (public-tracking@w3.org) Subject: Re: Poll text call: final text by 28 September I'm thoroughly confused by this thread. The current draft accurately reflects the state of discussions: we do not have consensus on whether to include a use-based short-term exception. The two text proposals, however, seem to presuppose such an exception exists. They also don't address a possible short-term exception scoped to protocol data, an alternative that quite a few members of the group would support. I also don't understand the mystique of the six-week period. A number of working group members explicitly noted in Bellevue that six weeks was not something they would agree to, either as too short (e.g. Shane) or too long (e.g. Lee). Jonathan On Sunday, September 30, 2012 at 9:45 AM, John Simpson wrote: Thank you, Aleecia. I was not at at the F2F in Boston, joining the group in October, so I wasn't aware of this conversation. I drew my definite two-week retention limit based on my analogy to the workplace I mentioned and also the fact that it was the protocol retention limit proposed in the EFF/Mozilla/Stanford proposal. I thought it was still under active consideration by a significant number of members in the WG and thought it should be included as an option for that reason. If you believe the group generally has moved past that point and that the two options you offer provide the best opportunity for reaching consensus, I can *live* with that. Cheers, John ---------- John M. Simpson Consumer Advocate Consumer Watchdog 2701 Ocean Park Blvd., Suite 112 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org> john@consumerwatchdog.org<mailto:john@consumerwatchdog.org> On Sep 29, 2012, at 10:25 PM, Aleecia M. McDonald wrote: Hi John, Thank you for your suggested new text before the deadline. While we can add this as an option, I would like to remind you that in Boston we heard that aggregate reports of one month spans are an exceedingly common use case for this data. The rationale for six weeks was to add some extra time beyond a rolling four week period, just in case something needs to be re-run or otherwise needs a little extra time. During our discussions in Boston, I remember Peter being able to live with six weeks as reasonable for privacy, and many in industry able to live with six weeks as reasonable time for processing. We were exceedingly close to consensus on this point. Two weeks' notice for leaving a job is an interesting concept, but is also a cultural construct. I hear that in some European countries, 3 or 6 months' notice is common. I am not convinced this is a relevant metric for our work here on log files. If you have new information to present to the group with substantive reasons for why two weeks rather than six weeks, this would be a good time to discuss that information. Aleecia On Sep 28, 2012, at 4:13 PM, John Simpson <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>> wrote: Sure, David. As I understand it what we're talking about here are log files and that sort of thing that are passively collected with any Internet transaction. If DNT is enabled they ought not be retained in unidentifiable form. The question: What is a reasonable time frame for that? I came up with two weeks based on an analogy to the sort of common workplace understanding about leaving a job. You give two weeks notice when you quit. You give the boss two weeks two get things in order upon your departure. Here the user is giving the server two weeks notice to get things in order to honor his or her explicit preference about not being tracked. Best, John ---------- John M. Simpson Consumer Advocate Consumer Watchdog 2701 Ocean Park Blvd., Suite 112 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org<http://www.consumerwatchdog.org/> john@consumerwatchdog.org<mailto:john@consumerwatchdog.org> On Sep 28, 2012, at 3:49 PM, David Wainberg wrote: John, It might be helpful to provide your basis for suggesting the two week period as a viable option. -David On 9/28/12 6:33 PM, John Simpson wrote: Aleecia, I would offer this option: Option 3: Operators MAY retain data related to a communication in a third-party context for up to TWO weeks. During this time, operators may render data unlinkable (as described above) or perform processing of the data for any of the other permitted uses ---------- John M. Simpson Consumer Advocate Consumer Watchdog 2701 Ocean Park Blvd., Suite 112 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org<http://www.consumerwatchdog.org/> john@consumerwatchdog.org<mailto:john@consumerwatchdog.org> On Sep 28, 2012, at 3:12 PM, David Wainberg wrote: Aleecia, In reviewing this to provide feedback, it occurs to me that it relies on the definition of unlinkable, which is still very much up for debate. How can companies weigh in on these options without understanding what the requirements actually are? We should postpone this poll until we define unlinkable so that companies can give realistic feedback regarding the time and effort needed to meet the requirements. Thanks, David On 9/25/12 6:20 PM, Aleecia M. McDonald wrote: From the call on 12 September, we discussed topics where we have increasing clarity on options for permitted uses. I want to make sure we have the text right to reflect our options prior to doing a decision process with a poll calling for objections, which is responsive to Ian's feedback. We also want to move quickly, as Roy suggests. Please propose specific alternative text if you believe that the two texts given below do not reflect the options before us by Friday, 28 September. We will briefly review these texts on the call tomorrow, just to make sure no one misses anything, and here we are on the mailing list, for those who cannot make the call. Aleecia ----- Log files: issue-134 ---- This normative text fits into the section on Third Party Compliance, subsection 6.1.1.1, Short Term Collection and Use, <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#short-term>. We will also want non-normative text, and have some suggested, but that will be clearer once we have the normative text settled. (Options for definitions of unlinkable data are in section 3.6, Unlinkable Data, <http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def-unlinkable>.) Option 1: Operators MAY retain data related to a communication in a third-party context for up to 6 weeks. During this time, operators may render data unlinkable (as described above) or perform processing of the data for any of the other permitted uses. Option 2: Operators MAY retain data related to a communication in a third-party context. They MUST provide public transparency of their data retention period, which MUST have a specific time period (e.g. not infinite or indefinite.) During this time, operators may render data unlinkable (as described above) or perform processing of the data for any of the other permitted uses.
Received on Monday, 1 October 2012 10:42:56 UTC