- From: Edward W. Felten <felten@CS.Princeton.EDU>
- Date: Wed, 10 Jul 2013 08:25:12 -0400
- To: "<public-tracking@w3.org>" <public-tracking@w3.org>
- Message-ID: <CANZBoGh1t5r6tb3+N+ujWomBc0JNJ_W0_NyLGqPqECaq6YnZnw@mail.gmail.com>
[Sorry, meant to send this to the list.] ---------- Forwarded message ---------- From: Edward W. Felten <felten@cs.princeton.edu> Date: Wed, Jul 10, 2013 at 8:24 AM Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5) To: Shane Wiley <wileys@yahoo-inc.com> It's not true that this information is always sent as part of a URL. It is sometimes sent via a non-URL transfer mechanism in HTTP (e.g. the message body of an HTTP POST) or via a non-HTTP protocol. There are plenty of ways for client-side code to transmit tracking information back to a server besides putting the information in a URL. On Wed, Jul 10, 2013 at 8:09 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > Ed,**** > > ** ** > > Those additional calls are still expressed a web server requests for > logging – aka URLs – hence our simplification to URLs to speed discussion > within the group.**** > > ** ** > > - Shane**** > > ** ** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Wednesday, July 10, 2013 1:05 PM > *To:* Shane Wiley > > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > ** ** > > Sites have other ways of observing user activity, such as via calls to > client-side Javascript APIs. They also associate additional information, > possibly from other sources, with the user and/or the activity. **** > > ** ** > > The DAA definition covers "data records that are, or can be, associated > with activity ..." **** > > ** ** > > ** ** > > On Wed, Jul 10, 2013 at 7:43 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > **** > > Ed – a web server receives an HTTP request (activity) in the form of a URL > (may carry a query string argument) along with header information (such as > technographics). What other “activity” are you envisioned is associated > with that event?**** > > **** > > - Shane**** > > **** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Wednesday, July 10, 2013 12:36 PM**** > > > *To:* Shane Wiley > *Cc:* rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > **** > > My question was about the DAA text "data records that are, or can be, > associated with activity ..." Even if "activity" means only URLs + unique > IDs --- which doesn't seem to be a natural reading of "activity"---the DAA > text would cover not just the activity itself, but also all data that are, > or can be, can be associated with the activity.**** > > **** > > On Wed, Jul 10, 2013 at 3:52 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > **** > > Activity = “URLs”. **** > > IDs = “specific user, user agent, computer, or device”.**** > > **** > > “Activity…linked to a specific user, user agent, computer, or device” = > IDs + URLs.**** > > **** > > - Shane**** > > **** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Tuesday, July 09, 2013 10:22 PM > *To:* Shane Wiley > *Cc:* rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org*** > * > > > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > **** > > The definition in the DAA text is "Tracking is the collection and > retention , or use, after a network interaction is complete, of data > records that are, or can be, associated with of activity across > non-affiliated websites linked to a specific user, user agent computer, or > device."**** > > **** > > I don't see anything in that definition that limits it to "IDs + URLs". > It seems to cover "data records that are, or can be, associated with > activity ..."**** > > **** > > On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:* > *** > > Rob, > > This definition is too broad and therefore not likely to be implemented. > If we instead focus on tracking as being the association of a unique ID > (any source - including digital fingerprints) with web activity (URLs) > across non-affiliated sites - we have a foundation upon which we can build > a lasting DNT standard (and one that will be implemented and advanced user > privacy in a real way). > > Could you please provide examples where you feel the industry definition > is too narrow (IDs + URLs)? This appears to hit right at the very heart of > the concept of "online tracking" and hopefully builds a definition by which > our activities can be appropriately focused. > > Please keep in mind the technical side of the specification is so easy to > game that we should expect rates exceeding 50% to 80% of DNT:1. > > - Shane**** > > > -----Original Message----- > From: Rob van Eijk [mailto:rob@blaeu.com] > Sent: Tuesday, July 09, 2013 6:21 AM > To: Alan Chapell > Cc: David Singer; public-tracking@w3.org > Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > Just to let you know that the DPAs specifically ruled out fingerprinting > as an alternative for cookie based tracking in the Berlin Group opinion on > Web Tracking and Privacy. > > Keeping a definition technology neutral is fine with me. Wishing > fingerprinting is off the radar for DPAs is not a preferred move. It would > be wise to include fingerprinting specifically in non-normative text, if a > definition has to be part of the standard. > > > I am proposing a new tracking defintion and non-normative text: > > Tracking is any form of collection, retention, use and/or application of > data that are, or can be, associated with a specific user, user agent, or > device. > > Non normative explanation: Tracking is not exclusively connected to unique > ID cookies. Tracking includes automated real time decisions, intended to > analyse or predict the personality or certain personal aspects relating to > a natural person, including the analysis and prediction of the person’s > health, economic situation, information on political or philosophical > beliefs , performance at work, leisure, personal preferences or interests, > details and patterns on behavior, detailed location or movements. Tracking > is defined in a technological neutral way and includes e.g. cookie based > tracking technology, active and passive fingerprinting techniques. > > > Rob > > Alan Chapell schreef op 2013-07-09 14:42: > > Well put, David. I'm not sure we want to call out digital > > fingerprinting specifically - technology neutral is best. > > > > > > On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote: > > > >> > >> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote: > >> > >>> > >>>>>> well, the fingerprint is used as a key to some data storageŠ > >>>>> What if it isn't? What if a website collects a fingerprint and > >>>>> then discards it? Surely that should still be prohibited. > >>>> So, during the transaction, the server calculates a fingerprint > >>>> that's plausibly unique to the user, and then when the transaction > >>>> is complete, it discards the fingerprint. It can't now have > >>>> anything retained that's keyed to that fingerprint, and it can't > >>>> know if the same user visits again (fingerprint match). I don't > >>>> see the point, but I don't see a problem. > >>> > >>> > >>> Fingerprints do in may cases end up in data sets as matching > >>> identifiers. > >> > >> Then data is being retained. > >> > >>> > >>> Even if a fingerprint is discarded, it can facilitate the linking of > >>> new data to already collected data. > >> > >> how? if I discard the fingerprint (it's not recorded anywhere)Š > >> > >>> Therefore, fingerprinting is important to address when DNT:1. > >>> > >>> DNT:1 must cover fingerprinting based tracking equal to cookie based > >>> tracking. > >> > >> DNT should cover *tracking*, and we might have comments or notes on > >> what constitutes tracking, retention, etc., but I think it very > >> dangerous to talk of specific technologies in the normative text. > >> > >>> > >>> > >>> David Singer schreef op 2013-07-09 13:05: > >>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> > >>>> wrote: > >>>>>> that could usefully be made clear (that storing information in a > >>>>>> cookie that later should come back to you is still 'retaining'. > >>>>> I'd prefer to focus on privacy properties, not particular > >>>>> technical implementations. My concern is not the use of browser > >>>>> storage. > >>>>> It's > >>>>> the information flow from the browser to the website. > >>>> Sure, my focus is on what information is retained in the sense it > >>>> is usable by the site(s) after the transaction is over. Where it > >>>> is (local, cloud, client, service provider, etc.) are irrelevant. > >>>>>>> (And what about fingerprinting, where there is no client-side > >>>>>>> information stored?) > >>>>>> well, the fingerprint is used as a key to some data storageŠ > >>>>> What if it isn't? What if a website collects a fingerprint and > >>>>> then discards it? Surely that should still be prohibited. > >>>> So, during the transaction, the server calculates a fingerprint > >>>> that's plausibly unique to the user, and then when the transaction > >>>> is complete, it discards the fingerprint. It can't now have > >>>> anything retained that's keyed to that fingerprint, and it can't > >>>> know if the same user visits again (fingerprint match). I don't > >>>> see the point, but I don't see a problem. > >>>>>>> At any rate, I'm inclined to hold this (constructive!) > >>>>>>> conversation until we decide a) to have a definition of > >>>>>>> "tracking" and b) to make that definition normative. > >>>>>> The june document has such, so we should make sure it's > >>>>>> watertight. > >>>>>> that's why I am pressing for specifics. yes, it's helpful. > >>>>> The June draft definition is de jure normative, but de facto > >>>>> non-normative since it isn't used anywhere. > >>>> Indeed, I have CPs to make it used. It's used by implication but > >>>> not by the text. > >>>> David Singer > >>>> Multimedia and Software Standards, Apple Inc. > >> > >> David Singer > >> Multimedia and Software Standards, Apple Inc. > >> > >> > >>**** > > > > **** > > **** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > **** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > ** ** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten
Received on Wednesday, 10 July 2013 12:25:58 UTC