- From: Edward W. Felten <felten@CS.Princeton.EDU>
- Date: Wed, 10 Jul 2013 08:35:38 -0400
- To: Shane Wiley <wileys@yahoo-inc.com>
- Cc: "<public-tracking@w3.org>" <public-tracking@w3.org>
- Message-ID: <CANZBoGjD-+s4A483JOQ_J03j2agdoLSJ6=a-J=Q+5MsV7vhO6Q@mail.gmail.com>
If these are only simplifications for discussion, then it would make sense to move them to non-normative text, rather than including them in the definition. Otherwise readers of the spec might think that the covered data and activity is limited to URLs plus unique IDs. On Wed, Jul 10, 2013 at 8:28 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > Even form posts are logged as pseudo URLs in a web server log but I > generally agree with you - and DNT should cover all of these use cases - > we're only using URLs as a simplification mechanism for discussion.**** > > ** ** > > - Shane**** > > ** ** > > *From:* Edward W. Felten [mailto:felten@CS.Princeton.EDU] > *Sent:* Wednesday, July 10, 2013 1:25 PM > *To:* <public-tracking@w3.org> > *Subject:* Fwd: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > ** ** > > [Sorry, meant to send this to the list.]**** > > ---------- Forwarded message ---------- > From: *Edward W. Felten* <felten@cs.princeton.edu> > Date: Wed, Jul 10, 2013 at 8:24 AM > Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5) > To: Shane Wiley <wileys@yahoo-inc.com> > > **** > > It's not true that this information is always sent as part of a URL. It > is sometimes sent via a non-URL transfer mechanism in HTTP (e.g. the > message body of an HTTP POST) or via a non-HTTP protocol. **** > > ** ** > > There are plenty of ways for client-side code to transmit tracking > information back to a server besides putting the information in a URL.**** > > ** ** > > ** ** > > ** ** > > On Wed, Jul 10, 2013 at 8:09 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > **** > > Ed,**** > > **** > > Those additional calls are still expressed a web server requests for > logging - aka URLs - hence our simplification to URLs to speed discussion > within the group.**** > > **** > > - Shane**** > > **** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Wednesday, July 10, 2013 1:05 PM > *To:* Shane Wiley**** > > > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > **** > > Sites have other ways of observing user activity, such as via calls to > client-side Javascript APIs. They also associate additional information, > possibly from other sources, with the user and/or the activity. **** > > **** > > The DAA definition covers "data records that are, or can be, associated > with activity ..." **** > > **** > > **** > > On Wed, Jul 10, 2013 at 7:43 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > **** > > Ed - a web server receives an HTTP request (activity) in the form of a URL > (may carry a query string argument) along with header information (such as > technographics). What other "activity" are you envisioned is associated > with that event?**** > > **** > > - Shane**** > > **** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Wednesday, July 10, 2013 12:36 PM**** > > > *To:* Shane Wiley > *Cc:* rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > **** > > My question was about the DAA text "data records that are, or can be, > associated with activity ..." Even if "activity" means only URLs + unique > IDs --- which doesn't seem to be a natural reading of "activity"---the DAA > text would cover not just the activity itself, but also all data that are, > or can be, can be associated with the activity.**** > > **** > > On Wed, Jul 10, 2013 at 3:52 AM, Shane Wiley <wileys@yahoo-inc.com> wrote: > **** > > Activity = "URLs". **** > > IDs = "specific user, user agent, computer, or device".**** > > **** > > "Activity...linked to a specific user, user agent, computer, or device" = > IDs + URLs.**** > > **** > > - Shane**** > > **** > > *From:* Edward W. Felten [mailto:felten@cs.princeton.edu] > *Sent:* Tuesday, July 09, 2013 10:22 PM > *To:* Shane Wiley > *Cc:* rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org*** > * > > > *Subject:* Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > **** > > The definition in the DAA text is "Tracking is the collection and > retention , or use, after a network interaction is complete, of data > records that are, or can be, associated with of activity across > non-affiliated websites linked to a specific user, user agent computer, or > device."**** > > **** > > I don't see anything in that definition that limits it to "IDs + URLs". > It seems to cover "data records that are, or can be, associated with > activity ..."**** > > **** > > On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:* > *** > > Rob, > > This definition is too broad and therefore not likely to be implemented. > If we instead focus on tracking as being the association of a unique ID > (any source - including digital fingerprints) with web activity (URLs) > across non-affiliated sites - we have a foundation upon which we can build > a lasting DNT standard (and one that will be implemented and advanced user > privacy in a real way). > > Could you please provide examples where you feel the industry definition > is too narrow (IDs + URLs)? This appears to hit right at the very heart of > the concept of "online tracking" and hopefully builds a definition by which > our activities can be appropriately focused. > > Please keep in mind the technical side of the specification is so easy to > game that we should expect rates exceeding 50% to 80% of DNT:1. > > - Shane**** > > > -----Original Message----- > From: Rob van Eijk [mailto:rob@blaeu.com] > Sent: Tuesday, July 09, 2013 6:21 AM > To: Alan Chapell > Cc: David Singer; public-tracking@w3.org > Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)**** > > Just to let you know that the DPAs specifically ruled out fingerprinting > as an alternative for cookie based tracking in the Berlin Group opinion on > Web Tracking and Privacy. > > Keeping a definition technology neutral is fine with me. Wishing > fingerprinting is off the radar for DPAs is not a preferred move. It would > be wise to include fingerprinting specifically in non-normative text, if a > definition has to be part of the standard. > > > I am proposing a new tracking defintion and non-normative text: > > Tracking is any form of collection, retention, use and/or application of > data that are, or can be, associated with a specific user, user agent, or > device. > > Non normative explanation: Tracking is not exclusively connected to unique > ID cookies. Tracking includes automated real time decisions, intended to > analyse or predict the personality or certain personal aspects relating to > a natural person, including the analysis and prediction of the person's > health, economic situation, information on political or philosophical > beliefs , performance at work, leisure, personal preferences or interests, > details and patterns on behavior, detailed location or movements. Tracking > is defined in a technological neutral way and includes e.g. cookie based > tracking technology, active and passive fingerprinting techniques. > > > Rob > > Alan Chapell schreef op 2013-07-09 14:42: > > Well put, David. I'm not sure we want to call out digital > > fingerprinting specifically - technology neutral is best. > > > > > > On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote: > > > >> > >> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote: > >> > >>> > >>>>>> well, the fingerprint is used as a key to some data storage© > >>>>> What if it isn't? What if a website collects a fingerprint and > >>>>> then discards it? Surely that should still be prohibited. > >>>> So, during the transaction, the server calculates a fingerprint > >>>> that's plausibly unique to the user, and then when the transaction > >>>> is complete, it discards the fingerprint. It can't now have > >>>> anything retained that's keyed to that fingerprint, and it can't > >>>> know if the same user visits again (fingerprint match). I don't > >>>> see the point, but I don't see a problem. > >>> > >>> > >>> Fingerprints do in may cases end up in data sets as matching > >>> identifiers. > >> > >> Then data is being retained. > >> > >>> > >>> Even if a fingerprint is discarded, it can facilitate the linking of > >>> new data to already collected data. > >> > >> how? if I discard the fingerprint (it's not recorded anywhere)© > >> > >>> Therefore, fingerprinting is important to address when DNT:1. > >>> > >>> DNT:1 must cover fingerprinting based tracking equal to cookie based > >>> tracking. > >> > >> DNT should cover *tracking*, and we might have comments or notes on > >> what constitutes tracking, retention, etc., but I think it very > >> dangerous to talk of specific technologies in the normative text. > >> > >>> > >>> > >>> David Singer schreef op 2013-07-09 13:05: > >>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu> > >>>> wrote: > >>>>>> that could usefully be made clear (that storing information in a > >>>>>> cookie that later should come back to you is still 'retaining'. > >>>>> I'd prefer to focus on privacy properties, not particular > >>>>> technical implementations. My concern is not the use of browser > >>>>> storage. > >>>>> It's > >>>>> the information flow from the browser to the website. > >>>> Sure, my focus is on what information is retained in the sense it > >>>> is usable by the site(s) after the transaction is over. Where it > >>>> is (local, cloud, client, service provider, etc.) are irrelevant. > >>>>>>> (And what about fingerprinting, where there is no client-side > >>>>>>> information stored?) > >>>>>> well, the fingerprint is used as a key to some data storage© > >>>>> What if it isn't? What if a website collects a fingerprint and > >>>>> then discards it? Surely that should still be prohibited. > >>>> So, during the transaction, the server calculates a fingerprint > >>>> that's plausibly unique to the user, and then when the transaction > >>>> is complete, it discards the fingerprint. It can't now have > >>>> anything retained that's keyed to that fingerprint, and it can't > >>>> know if the same user visits again (fingerprint match). I don't > >>>> see the point, but I don't see a problem. > >>>>>>> At any rate, I'm inclined to hold this (constructive!) > >>>>>>> conversation until we decide a) to have a definition of > >>>>>>> "tracking" and b) to make that definition normative. > >>>>>> The june document has such, so we should make sure it's > >>>>>> watertight. > >>>>>> that's why I am pressing for specifics. yes, it's helpful. > >>>>> The June draft definition is de jure normative, but de facto > >>>>> non-normative since it isn't used anywhere. > >>>> Indeed, I have CPs to make it used. It's used by implication but > >>>> not by the text. > >>>> David Singer > >>>> Multimedia and Software Standards, Apple Inc. > >> > >> David Singer > >> Multimedia and Software Standards, Apple Inc. > >> > >> > >>**** > > > > **** > > **** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > **** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > **** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > ** ** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > > > > **** > > ** ** > > -- > Edward W. Felten > Professor of Computer Science and Public Affairs > Director, Center for Information Technology Policy > Princeton University > 609-258-5906 http://www.cs.princeton.edu/~felten **** > -- Edward W. Felten Professor of Computer Science and Public Affairs Director, Center for Information Technology Policy Princeton University 609-258-5906 http://www.cs.princeton.edu/~felten
Received on Wednesday, 10 July 2013 12:36:25 UTC