Re: June Change Proposal: Definition of Tracking (ISSUE-5)

On Jul 7, 2013, at 21:48 , Jonathan Mayer <jmayer@stanford.edu> wrote:

> Perhaps a concrete example would help clarify: Suppose a third-party website starts tagging browsers with ID cookies for no particular reason.  I think that should be covered, even if the website quickly discards the data.

It already is.  That's retaining something (an ID on the user) after the transaction is complete.  And the only purpose/utility would be to link that ID to some data records, so that would be a further violation.

> A parallel in the recent NSA coverage may also be instructive.  The NSA has argued that it does not "collect" information when it is swept into a dragnet.  Some observers have criticized this perspective, noting that privacy risks arise from data being made available to the NSA, independent of how it is retained or used.

Agreed again, and that again is covered by the 'don't retain after the transaction is over'.

> 
> Jonathan
> 
> On Monday, July 1, 2013 at 9:46 AM, David Singer wrote:
> 
>> 
>> On Jun 27, 2013, at 20:17 , Jonathan Mayer <jmayer@stanford.edu> wrote:
>> 
>>> David,
>>> 
>>> This definition is trying to get at two issues. First, privacy risks flow from the very collection of certain information (e.g. linkable non-protocol information). Second, the standard should prohibit certain collection practices. Much like the June Draft usage of the term "tracking," the intent here is to reflect the aims and sweep of the compliance document. Other sections of text provide detail, including that protocol information can be used.
>> 
>> I am still not getting what you mean by 'collect' that is different from 'retain'.
>> 
>> Example (we worked with this before): 'collect' means actively gathering information that is additional to that found in the protocol exchange. Examples would be looking up a geographic location (using IP address), or looking the user up in some database held by another party (distinguishing this collected data from data already known by the party).
>> 
>> We already seem to be working towards 'retain' as holding information after the transaction is over.
>> 
>> 
>>> 
>>> Best,
>>> Jonathan
>>> On Thursday, June 27, 2013 at 6:49 PM, David Singer wrote:
>>> 
>>>> Can you tell us what you mean by 'collect' (that distinguishes it from 'retain', and that allows use of in-transaction data for satisfying the transaction)?
>>>> 
>>>> 
>>>> On Jun 26, 2013, at 5:57 , Jonathan Mayer <jmayer@stanford.edu> wrote:
>>>> 
>>>>> I would propose that we not define "tracking" within the TCS document.
>>>>> 
>>>>> In the alternative, if the group elects to proceed with a definition, I would propose this small change:
>>>>>> Tracking is the collection, retention, or use of data records that are, or can be, associated with a specific user, user agent, or device.
>>>>> 
>>>>> This definition encompasses collection of information, unlike the June Draft text.
>>>> 
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 8 July 2013 18:17:50 UTC