Re: ISSUE-5: definition of tracking

Roy,

If you are correct here, and I am not disagreeing, think what this means
for attempts to obtain preference through language like: "Tell websites I
do not want to be tracked".

Do we think that most users would interpret "websites" to mean only 3rd
parties or might a reasonable person also think it meant that a 1st party
e.g. medical/political/dating/younameit site might not "track" my UID
(cookie, IP, whatever) as having visited?

There is a danger to defining words within a spec too far from their
common meaning.  As it is likely to create the hurdle you point out below.


-Brooks


-- 

Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
Wunderman Network
(Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
brooks.dobbs@kbmg.com



This email ­ including attachments ­ may contain confidential information.
If you are not the intended recipient,
 do not copy, distribute or act on it. Instead, notify the sender
immediately and delete the message.



On 9/5/12 2:21 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:

>On Sep 5, 2012, at 9:04 AM, Rigo Wenning wrote:
>
>> whether you exclude access logs from the initial definitions or
>> whether you cover them by permitted uses is just a matter of taste.
>
>No, it is a matter of laws and regulations.  If a company says that
>it complies with the "Do Not Track" signal and the user has reason
>to believe (without reading *any* specification) that it means no
>access log will be retained past the current transaction, then the
>company can be held liable even if the specification says retention
>of the access log is permitted.  Fine text cannot overrule common
>perception when there is no expectation that a user will read the
>fine text (it isn't even presented to them as part of the standard,
>and certainly doesn't reflect current UI for the DNT configuration).
>
>The purpose of a single, one or two sentence definition of what
>DNT:1 means (and also what DNT:0 means) is so that it can be
>included in the UI, either directly or via tooltip/documentation,
>and thus become part of the nomenclature that can be reasonably
>understood by the user setting that config.
>
>Furthermore, it allows us to make progress on the rest of the
>specification with a common understanding of what the specification
>is intended to accomplish, as opposed to what we just experienced
>on the call.
>
>> So please do not use the definition for the access log argument. The
>> real question on access logs is the time of non-anonymized
>> retention. W3C anonymizes logs as a matter of policy after 6 weeks.
>> This also helps with exuberant subpoenae. We can (and should IMHO)
>> discuss this explicitly instead of complicating the definition.
>
>No, we can use fine print to further *restrict* the scope of retention,
>because the user is not going to complain about further constraints
>on what they have already permitted.  We cannot use fine print to
>broaden the scope to allow things that do not appear to be allowed
>by the definition.
>
>....Roy
>
>

Received on Wednesday, 5 September 2012 18:47:37 UTC