Re: ISSUE-5: definition of tracking


If you are correct here, and I am not disagreeing, think what this means
for attempts to obtain preference through language like: "Tell websites I
do not want to be tracked".

Do we think that most users would interpret "websites" to mean only 3rd
parties or might a reasonable person also think it meant that a 1st party
e.g. medical/political/dating/younameit site might not "track" my UID
(cookie, IP, whatever) as having visited?

There is a danger to defining words within a spec too far from their
common meaning.  As it is likely to create the hurdle you point out below.



Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 |

This email  including attachments  may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.

On 9/5/12 2:21 PM, "Roy T. Fielding" <> wrote:

>On Sep 5, 2012, at 9:04 AM, Rigo Wenning wrote:
>> whether you exclude access logs from the initial definitions or
>> whether you cover them by permitted uses is just a matter of taste.
>No, it is a matter of laws and regulations.  If a company says that
>it complies with the "Do Not Track" signal and the user has reason
>to believe (without reading *any* specification) that it means no
>access log will be retained past the current transaction, then the
>company can be held liable even if the specification says retention
>of the access log is permitted.  Fine text cannot overrule common
>perception when there is no expectation that a user will read the
>fine text (it isn't even presented to them as part of the standard,
>and certainly doesn't reflect current UI for the DNT configuration).
>The purpose of a single, one or two sentence definition of what
>DNT:1 means (and also what DNT:0 means) is so that it can be
>included in the UI, either directly or via tooltip/documentation,
>and thus become part of the nomenclature that can be reasonably
>understood by the user setting that config.
>Furthermore, it allows us to make progress on the rest of the
>specification with a common understanding of what the specification
>is intended to accomplish, as opposed to what we just experienced
>on the call.
>> So please do not use the definition for the access log argument. The
>> real question on access logs is the time of non-anonymized
>> retention. W3C anonymizes logs as a matter of policy after 6 weeks.
>> This also helps with exuberant subpoenae. We can (and should IMHO)
>> discuss this explicitly instead of complicating the definition.
>No, we can use fine print to further *restrict* the scope of retention,
>because the user is not going to complain about further constraints
>on what they have already permitted.  We cannot use fine print to
>broaden the scope to allow things that do not appear to be allowed
>by the definition.

Received on Wednesday, 5 September 2012 18:47:37 UTC