Re: Retention with grace period (ACTION-266)

Vincent,

That was not my intent to say that claiming use of this six week period is
mutually exclusive of claiming other usage rights granted in the document.
Merely to say that if you discard data after 6 weeks you are compliant. If
you retain data longer than 6 weeks, then at that point you must fully
comply with the rest of the document as it pertains to retention of data
and usage.

-Ian

On Thu, Oct 25, 2012 at 6:26 AM, TOUBIANA, VINCENT (VINCENT) <
Vincent.Toubiana@alcatel-lucent.com> wrote:

>  Ian,****
>
> ** **
>
> Thank you for this text. I actually see a difference with what you
> proposed for issue-142: here it seems that companies just keep the data for
> 6 weeks and then discard them. So they do not keep “unlinkable data” or
> claim any permitted use. ****
>
> Bigger companies keeping “unlinkable data” or claiming permitted uses
> would not be covered by the grace period, right?****
>
> If that’s the case, I think we should make it clear and add a statement
> like “third parties claiming the 6 weeks period grace MUST not keep any
> data after 6 weeks even for pertmitted uses”. ****
>
> ** **
>
> But I think that we should distinguish this “grace period” and the X-weeks
> “pre-processing” step because that’s confusing. With that in mind, I think
> it is possible to find a compromise and only list “unpermitted uses” for
> the grace period.****
>
> ** **
>
> Also, your text mentions “small websites”, do you mean first parties?****
>
> ** **
>
> Thank you,****
>
> ** **
>
> Vincent****
>
> ** **
>
> ** **
>
> ** **
>  ------------------------------
>
> *De :* Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
> *Envoyé :* mercredi 24 octobre 2012 18:54
> *À :* public-tracking@w3.org Group WG
> *Objet :* Retention with grace period (ACTION-266)****
>
> ** **
>
> In the Amsterdam f2f I was given ACTION-266 to suggest retention related
> to a timed grace period. I'm trying to figure out how this is fundamentally
> different from ISSUE-142 (
> https://www.w3.org/2011/tracking-protection/track/issues/142) which we
> have fundamentally failed to make progress on.****
>
> ** **
>
> I'll briefly repeat my general stance, but I really don't want to sound
> like a broken record which I feel is something that's becoming an
> increasing risk for the working group in general.****
>
> ** **
>
> I'd like to see an approach where, within the first six weeks of
> "collecting" or "being exposed to data", the burden on implementers
> (servers) is extremely low. I'd like to see that so that for the majority
> of small companies / websites, it's very easy to claim compliance (and thus
> broaden adoption of DNT by servers). In my ideal world, you would be able
> to "retain" or "collect" data for up to six weeks without any compliance
> burden. As long as you discard data from DNT users within 6 weeks (e.g. you
> only keep the last 6 weeks of logs at any point), you're done. It
> essentially creates a fast path "If this applies to you you can stop
> reading, you're done."****
>
> ** **
>
> Sadly, it can't be quite that simple, because if it's a total free-for-all
> within the six week period one could simply transfer data to a third party
> and say "I'm still in compliance." So, we need some limitations on what can
> be done within the first six weeks, but to be very explicit, this DOES NOT
> line up precisely with uses of long-term (>6wk) data. If we make it line up
> exactly, then the compliance burden becomes the same and we've not achieved
> anything.****
>
> ** **
>
> My concrete proposal is contained in
> http://lists.w3.org/Archives/Public/public-tracking/2012May/0030.html****
>
> ** **
>
> Additionally, I think we need to discuss what an audit for DNT would look
> like. My proposal here would be that audits should look at practices as
> relate to long-term data retention only. (If you're keeping data >6 weeks,
> you must show that your use matches what is stated in whatever policy you
> have, and that you have appropriate technical controls in place to ensure
> that access to the data is controlled for these uses only.) Within the 6
> week period, there's flexibility to get your data from its original logging
> sources/formats into the system of controls you have in place for long-term
> data, and the "audit" is a noop unless someone has provided evidence that
> you're doing something prohibited by
> http://lists.w3.org/Archives/Public/public-tracking/2012May/0030.html in
> the six week period (e.g. transferring data to a third party).****
>
> ** **
>
> If someone believes this action was somehow materially different from
> ISSUE-142 / ACTION-190 I'm all ears.****
>