Re: ISSUE-5: definition of tracking

On Sep 5, 2012, at 9:04 AM, Rigo Wenning wrote:

> whether you exclude access logs from the initial definitions or 
> whether you cover them by permitted uses is just a matter of taste.

No, it is a matter of laws and regulations.  If a company says that
it complies with the "Do Not Track" signal and the user has reason
to believe (without reading *any* specification) that it means no
access log will be retained past the current transaction, then the
company can be held liable even if the specification says retention
of the access log is permitted.  Fine text cannot overrule common
perception when there is no expectation that a user will read the
fine text (it isn't even presented to them as part of the standard,
and certainly doesn't reflect current UI for the DNT configuration).

The purpose of a single, one or two sentence definition of what
DNT:1 means (and also what DNT:0 means) is so that it can be
included in the UI, either directly or via tooltip/documentation,
and thus become part of the nomenclature that can be reasonably
understood by the user setting that config.

Furthermore, it allows us to make progress on the rest of the
specification with a common understanding of what the specification
is intended to accomplish, as opposed to what we just experienced
on the call.

> So please do not use the definition for the access log argument. The 
> real question on access logs is the time of non-anonymized 
> retention. W3C anonymizes logs as a matter of policy after 6 weeks. 
> This also helps with exuberant subpoenae. We can (and should IMHO) 
> discuss this explicitly instead of complicating the definition.

No, we can use fine print to further *restrict* the scope of retention,
because the user is not going to complain about further constraints
on what they have already permitted.  We cannot use fine print to
broaden the scope to allow things that do not appear to be allowed
by the definition.

....Roy

Received on Wednesday, 5 September 2012 18:21:48 UTC