W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

Re: ISSUE-5: definition of tracking

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 5 Sep 2012 01:29:39 -0700
Cc: "Aleecia M. McDonald" <aleecia@aleecia.com>, W3 Tracking <public-tracking@w3.org>
Message-Id: <BE6C996B-16FB-46A7-B95D-159A2BE08115@gbiv.com>
To: David Singer <singer@apple.com>
On Sep 4, 2012, at 4:16 PM, David Singer wrote:
> On Sep 4, 2012, at 15:20 , "Roy T. Fielding" <fielding@gbiv.com> wrote:
>> On Sep 4, 2012, at 10:07 AM, Aleecia M. McDonald wrote:
>>> 	(c) Buried in this discussion (of "absolutely not tracking") was David Singer's attempt to define tracking: "Tracking is the retention or use, after a transaction is complete, of data records that are, or can be, associated with a single user." (I'd append: ", user agent, or device.")   Unlike every other time someone has made the attempt, the one and only reply was in support. Does that mean we can live with this? [Note that issue-5 is currently raised]
>> Probably not.  It does us very little good to define tracking such
>> that it encompasses all access logs, since they are essential
>> to any site that isn't deliberately acting as an open gateway.
>> Are we agreed to that at least?
> Actually, I was trying for a definition which clearly *excluded* data that was *out* of scope, and then discussed -- via permissions, and exceptions and so on -- uses that fall into the scope and need discussion.

Access logs involve the retention of IP addresses, request targets,
and other request attributes long after a transaction is complete.
If keeping an access log is considered tracking, then almost all servers
on the Web track (the exceptions being a few privacy-masking portals).

I don't believe that defining tracking such that almost every server on
the Web is non-compliant (and will remain non-compliant) is a viable
choice if we think deployment of the protocol is desirable, nor do
I think it matches user expectations about "do not track", so I'd
like to have a definition that matches whatever it is that the user
wants us to stop doing when they send DNT:1.

>  I think trying to find a 'tight' definition that includes only the things that are in scope is much harder.  So, ordinary logging would be discussed and a suitable permission defined, in this model.  But we would not need to discuss retention or use of data that's outside this definition.

I agree it is much harder.  OTOH, I think it will help us
obtain consensus on the requirements if we actually agree on what
is being restricted (and what is not).

I have pointed out numerous times that I won't accept a blanket
prohibition on doing anything, followed by a list of permissions
on what I am allowed to do.  I would have to be insane to claim
that I could comply with such a thing.

>> If so, as Shane has said a few million times, the definition of
>> tracking has to reflect actively tracking the user/device
>> (operational use of the data collected).  Additional restrictions
>> on the retention of data for specific and necessary purposes can
>> also be required for compliance, but that doesn't need to be
>> reflected in the definition of "Do Not Track".
>> A variation on David's definition would be:
>> Tracking is the retention or sharing of data collected from an
>> interaction to associate that interaction with a specific user
>> (or their personal user agent or device) and use that association
>> to obtain, collect, or correlate that user's behavior beyond
>> the scope of a single session.
> That's not the only (or even possibly primary) use that worries people, in my understanding.

I am trying to define tracking, not their worries.  If folks can
talk about what the above does not cover, then we can look for some
wording that plugs the gaps.  Or we can start with any of the four
other definitions that I have proposed.  Or some new definition,
if someone gets an inspiration.

Received on Wednesday, 5 September 2012 08:30:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:59 UTC