RE: Proposal: all exemptions to be opt-out, and identity to be declared. from Fred Andrews on 2012-09-30 (public-tracking@w3.org from September 2012)

From: Fred Andrews <fredandw@live.com>
Date: Sun, 30 Sep 2012 23:47:48 +0000
To: Mike O'Neill <michael.oneill@baycloud.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <BLU002-W9867087885207056D89BFEAA800@phx.gbl>
Some online industries want to identify users for profiling, targeting ads, etc.  They can currently do so using the IP address, by covertly reading UA state, and by noting their online activity.  Giving them a defined ID to use instead at least gives the user the option of changing their ID to prevent tracking.  The UA is in control and can issue a separate ID for different origins.   DNT style flags could still be used to opt-out of particular uses of the ID and a returned header could confirm acceptance.

A JS API would probably not be acceptable because the solution would need to work with JS disabled.

cheers
Fred

From: michael.oneill@baycloud.com
To: fredandw@live.com; public-tracking@w3.org
Date: Sun, 30 Sep 2012 13:05:35 +0100
Subject: RE: Proposal: all exemptions to be opt-out, and identity to be declared.

Fred, I like this one. The existing TPC is getting weighed down by endless qualifications to the point of being incomprehensible to anyone outside the group. The whole point of DNT is to put the decision (to allow themselves to be tracked) into the hands of users and this simple idea  does that. The user supplied UID could be embellished a bit. It has the problem that clear ID on every request would be visible to anyone and would make UA fingerprinting a doddle, and also spoil the idea of a contract between the tracked and the tracker. How about the UID (once enabled by the user) is generated as new on every request but is based on a concatenation of the user id with a continuously changing random value and encrypted using a key. The key could then be exchanged between the UA and a website using a JS API (gated by a UI). Then only the website given the key could track that user, and the user has absolute control over the process. Mike  From: Fred Andrews [mailto:fredandw@live.com] 
Sent: 30 September 2012 00:41
To: public-tracking@w3.org
Subject: Proposal: all exemptions to be opt-out, and identity to be declared. Many in the advertising industry have been pointing out a need to collect some identifiable information to meet reporting requirements.  For example, a need to be able to record the country that an ad is delivered to.   Such collection conflicts with the charter of this group.   I propose that this matter be resolved by adding a UA identifier to the DNT header or to a complementary header, and to include the declared country of the user in the header.   Advertisers would be permitted to both use this identifier to track users and target ads and to use it for reporting purposes.  Users that do not want to be tracked may change the identifier as they deem necessary.  Since it is under user control, advertisers would presumable not be held responsible in contracts for differences between the users declared country and their actual country and advertiser would have a record for proof.

Many in the advertising industry have expressed a need for exemptions to 'Do Not Track'.  Any exemption without user choice conflicts with the charter of this group.  I propose to resolve this matter by requiring that all exemptions be assigned a UA header flag and that websites only be permitted the exemption when allowed by an explicit flag.  Local laws and law enforcement needs override the DNT code of conduct anyway so there is no need to include this in the document.  The exemptions would include first party use, make a distinction between first party use before a user has explicitly identified themselves and after, and include the use of UA fingerprinting, etc.   The server would be required to return the flags it is complying with as confirmation, and if DNT were deemed as negotiable then the server would return the flags it is prepared to comply with.

Some users have expressed a desire to be tracked and profiled and to have targeted ads delivered to them.  With this proposal they can choose a unique identifier for themselves which they can share among their user agents, and can declare their country so that they get appropriate ads even when connecting via a tunnel or ipv6.  Further they can enable all uses of their information.

Some users have expressed a desire not to be tracked at all.  This proposal allows them to opt-out of being fingerprinted and to ensure that all servers they connect to agree not track them for any purpose at to change their identity as they deem necessary.  I would imagine that users would at least agree to tracking after they have explicitly identified themselves to a website, by signing in, but a UA may wish to negotiate even this to make sure the user has really explicitly consented.

I believe this proposal meets the charter of this group far better that the current proposals and call on the current proposals to be rewritten and renegotiated along these lines.

cheers
Fred
Received on Sunday, 30 September 2012 23:48:16 UTC