Re: June Change Proposal: Definition of Tracking (ISSUE-5) from John Simpson on 2013-07-09 (public-tracking@w3.org from July 2013)

From: John Simpson <john@consumerwatchdog.org>
Date: Tue, 9 Jul 2013 15:10:55 -0700
To: achapell <achapell@chapellassociates.com>
Cc: felten@CS.Princeton.EDU, tlr@w3.org, wileys@yahoo-inc.com, rob@blaeu.com, singer@apple.com, public-tracking@w3.org
Message-Id: <F05F90E0-DFD3-422A-96CD-73D1F29D120E@consumerwatchdog.org>
I'm still waiting for a reason for the original proposed DAA text and explanation of how in the the proposers' view it differs from the June draft.

Again to be able to consider the DAA proposed amendment, we need to understand the reasoning behind it.





On Jul 9, 2013, at 3:01 PM, achapell <achapell@chapellassociates.com> wrote:

> I see it more as a clarification of the daa text based upon feedback that was received by the working group.
> 
> (Although I'm not sure there's a substantive distinction. Pls let me know if you disagree) 
> 
> 
> 
> 
> Cheers,
> 
> Alan Chapell
> 917 318 8440
> 
> 
> 
> -------- Original message --------
> From: "Edward W. Felten" <felten@CS.Princeton.EDU> 
> Date: 07/09/2013 5:44 PM (GMT-05:00) 
> To: Thomas Roessler <tlr@w3.org> 
> Cc: Shane Wiley <wileys@yahoo-inc.com>,rob@blaeu.com,Alan Chapell <achapell@chapellassociates.com>,David Singer <singer@apple.com>,public-tracking@w3.org 
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5) 
> 
> 
> What Jack sent is a proposed amendment to the DAA text, which may or may not be adopted by the working group.  Until that amendment is adopted by the working group (if it is), the original DAA proposal is still on the table. 
> 
> 
> On Tue, Jul 9, 2013 at 5:27 PM, Thomas Roessler <tlr@w3.org> wrote:
> From the amendments that Jack Hobaugh submitted today:
>   http://lists.w3.org/Archives/Public/public-tracking/2013Jul/0146.html
>> Amendment # 2:
>> 
>> Tracking is the collection and retention,  or use of a user�s browsing activity � the domains or URLs visited across non-affiliated websites -- linked to a specific user,  computer,  or device.
>> 
> 
> Regards,
> 
> Thomas Roessler, W3C <tlr@w3.org> (@roessler)
> 
> 
> 
> 
> On 2013-07-09, at 23:22 +0200, "Edward W. Felten" <felten@CS.Princeton.EDU> wrote:
> 
>> The definition in the DAA text is "Tracking is the collection and retention , or use, after a network interaction is complete, of data records that are, or can be, associated with of activity across non-affiliated websites linked to a specific user, user agent computer, or device."
>> 
>> I don't see anything in that definition that limits it to "IDs + URLs".   It seems to cover "data records that are, or can be, associated with activity ..."
>> 
>> 
>> On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:
>> Rob,
>> 
>> This definition is too broad and therefore not likely to be implemented.  If we instead focus on tracking as being the association of a unique ID (any source - including digital fingerprints) with web activity (URLs) across non-affiliated sites - we have a foundation upon which we can build a lasting DNT standard (and one that will be implemented and advanced user privacy in a real way).
>> 
>> Could you please provide examples where you feel the industry definition is too narrow (IDs + URLs)?  This appears to hit right at the very heart of the concept of "online tracking" and hopefully builds a definition by which our activities can be appropriately focused.
>> 
>> Please keep in mind the technical side of the specification is so easy to game that we should expect rates exceeding 50% to 80% of DNT:1.
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Rob van Eijk [mailto:rob@blaeu.com]
>> Sent: Tuesday, July 09, 2013 6:21 AM
>> To: Alan Chapell
>> Cc: David Singer; public-tracking@w3.org
>> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
>> 
>> 
>> Just to let you know that the DPAs specifically ruled out fingerprinting as an alternative for cookie based tracking in the Berlin Group opinion on Web Tracking and Privacy.
>> 
>> Keeping a definition technology neutral is fine with me. Wishing fingerprinting is off the radar for DPAs is not a preferred move. It would be wise to include fingerprinting specifically in non-normative text, if a definition has to be part of the standard.
>> 
>> 
>> I am proposing a new tracking defintion and non-normative text:
>> 
>> Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.
>> 
>> Non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques.
>> 
>> 
>> Rob
>> 
>> Alan Chapell schreef op 2013-07-09 14:42:
>> > Well put, David. I'm not sure we want to call out digital
>> > fingerprinting specifically - technology neutral is best.
>> >
>> >
>> > On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote:
>> >
>> >>
>> >> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote:
>> >>
>> >>>
>> >>>>>> well, the fingerprint is used as a key to some data storageŠ
>> >>>>> What if it isn't?  What if a website collects a fingerprint and
>> >>>>> then discards it?  Surely that should still be prohibited.
>> >>>> So, during the transaction, the server calculates a fingerprint
>> >>>> that's plausibly unique to the user, and then when the transaction
>> >>>> is complete, it discards the fingerprint.  It can't now have
>> >>>> anything retained that's keyed to that fingerprint, and it can't
>> >>>> know if the same user visits again (fingerprint match).  I don't
>> >>>> see the point, but I don't see a problem.
>> >>>
>> >>>
>> >>> Fingerprints do in may cases end up in data sets as matching
>> >>> identifiers.
>> >>
>> >> Then data is being retained.
>> >>
>> >>>
>> >>> Even if a fingerprint is discarded, it can facilitate the linking of
>> >>> new data to already collected data.
>> >>
>> >> how?  if I discard the fingerprint (it's not recorded anywhere)Š
>> >>
>> >>> Therefore, fingerprinting is important to address when DNT:1.
>> >>>
>> >>> DNT:1 must cover fingerprinting based tracking equal to cookie based
>> >>> tracking.
>> >>
>> >> DNT should cover *tracking*, and we might have comments or notes on
>> >> what constitutes tracking, retention, etc., but I think it very
>> >> dangerous to talk of specific technologies in the normative text.
>> >>
>> >>>
>> >>>
>> >>> David Singer schreef op 2013-07-09 13:05:
>> >>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu>
>> >>>> wrote:
>> >>>>>> that could usefully be made clear (that storing information in a
>> >>>>>> cookie that later should come back to you is still 'retaining'.
>> >>>>> I'd prefer to focus on privacy properties, not particular
>> >>>>> technical implementations.  My concern is not the use of browser
>> >>>>> storage.
>> >>>>> It's
>> >>>>> the information flow from the browser to the website.
>> >>>> Sure, my focus is on what information is retained in the sense it
>> >>>> is usable by the site(s) after the transaction is over.  Where it
>> >>>> is (local, cloud, client, service provider, etc.) are irrelevant.
>> >>>>>>> (And what about fingerprinting, where there is no client-side
>> >>>>>>> information stored?)
>> >>>>>> well, the fingerprint is used as a key to some data storageŠ
>> >>>>> What if it isn't?  What if a website collects a fingerprint and
>> >>>>> then discards it?  Surely that should still be prohibited.
>> >>>> So, during the transaction, the server calculates a fingerprint
>> >>>> that's plausibly unique to the user, and then when the transaction
>> >>>> is complete, it discards the fingerprint.  It can't now have
>> >>>> anything retained that's keyed to that fingerprint, and it can't
>> >>>> know if the same user visits again (fingerprint match).  I don't
>> >>>> see the point, but I don't see a problem.
>> >>>>>>> At any rate, I'm inclined to hold this (constructive!)
>> >>>>>>> conversation until we decide a) to have a definition of
>> >>>>>>> "tracking" and b) to make that definition normative.
>> >>>>>> The june document has such, so we should make sure it's
>> >>>>>> watertight.
>> >>>>>> that's why I am pressing for specifics. yes, it's helpful.
>> >>>>> The June draft definition is de jure normative, but de facto
>> >>>>> non-normative since it isn't used anywhere.
>> >>>> Indeed, I have CPs to make it used.  It's used by implication but
>> >>>> not by the text.
>> >>>> David Singer
>> >>>> Multimedia and Software Standards, Apple Inc.
>> >>
>> >> David Singer
>> >> Multimedia and Software Standards, Apple Inc.
>> >>
>> >>
>> >>
>> 
>> 
>> 
>> 
>> -- 
>> Edward W. Felten
>> Professor of Computer Science and Public Affairs
>> Director, Center for Information Technology Policy
>> Princeton University                
>> 609-258-5906           http://www.cs.princeton.edu/~felten
> 
> 
> 
> 
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten
Received on Tuesday, 9 July 2013 22:11:34 UTC