Re: June Change Proposal: Definition of Tracking (ISSUE-5) from Lee Tien on 2013-07-10 (public-tracking@w3.org from July 2013)

From: Lee Tien <tien@eff.org>
Date: Wed, 10 Jul 2013 08:00:31 -0700
To: Shane Wiley <wileys@yahoo-inc.com>
Cc: "Edward W. Felten" <felten@cs.princeton.edu>, "<public-tracking@w3.org>" <public-tracking@w3.org>
Message-Id: <7E34485B-07AF-499C-9D10-FCB3B1EF7B98@eff.org>
That's part of my confusion as a non-technical guy.  Time/date is data that matters.  So is location.  Are they part of ID/URL?

Lee

Sent from my iPhone

On Jul 10, 2013, at 5:42 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:

> Ed,
>  
> I believe there is concern on the industry side that activity can be OVERLY interpreted as well and therefore we feel it’s important to provide a bit of guidance of what this means in normative text.  Perhaps we simply define “Activity” as well.
>  
> - Shane
>  
> From: Edward W. Felten [mailto:felten@cs.princeton.edu] 
> Sent: Wednesday, July 10, 2013 1:36 PM
> To: Shane Wiley
> Cc: <public-tracking@w3.org>
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
>  
> If these are only simplifications for discussion, then it would make sense to move them to non-normative text, rather than including them in the definition.   Otherwise readers of the spec might think that the covered data and activity is limited to URLs plus unique IDs.
>  
> 
> On Wed, Jul 10, 2013 at 8:28 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> Even form posts are logged as pseudo URLs in a web server log but I generally agree with you - and DNT should cover all of these use cases – we’re only using URLs as a simplification mechanism for discussion.
>  
> - Shane
>  
> From: Edward W. Felten [mailto:felten@CS.Princeton.EDU] 
> Sent: Wednesday, July 10, 2013 1:25 PM
> To: <public-tracking@w3.org>
> Subject: Fwd: June Change Proposal: Definition of Tracking (ISSUE-5)
>  
> [Sorry, meant to send this to the list.]
> 
> ---------- Forwarded message ----------
> From: Edward W. Felten <felten@cs.princeton.edu>
> Date: Wed, Jul 10, 2013 at 8:24 AM
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
> To: Shane Wiley <wileys@yahoo-inc.com>
> 
> It's not true that this information is always sent as part of a URL.    It is sometimes sent via a non-URL transfer mechanism in HTTP (e.g. the message body of an HTTP POST) or via a non-HTTP protocol.  
>  
> There are plenty of ways for client-side code to transmit tracking information back to a server besides putting the information in a URL.
>  
>  
>  
> 
> On Wed, Jul 10, 2013 at 8:09 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> Ed,
>  
> Those additional calls are still expressed a web server requests for logging – aka URLs – hence our simplification to URLs to speed discussion within the group.
>  
> - Shane
>  
> From: Edward W. Felten [mailto:felten@cs.princeton.edu] 
> Sent: Wednesday, July 10, 2013 1:05 PM
> To: Shane Wiley
> 
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
>  
> Sites have other ways of observing user activity, such as via calls to client-side Javascript APIs.   They also associate additional information, possibly from other sources, with the user and/or the activity.  
>  
> The DAA definition covers "data records that are, or can be, associated with activity ..." 
>  
>  
> 
> On Wed, Jul 10, 2013 at 7:43 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> Ed – a web server receives an HTTP request (activity) in the form of a URL (may carry a query string argument) along with header information (such as technographics).  What other “activity” are you envisioned is associated with that event?
>  
> - Shane
>  
> From: Edward W. Felten [mailto:felten@cs.princeton.edu] 
> Sent: Wednesday, July 10, 2013 12:36 PM
> 
> To: Shane Wiley
> Cc: rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
>  
> My question was about the DAA text "data records that are, or can be, associated with activity ..."   Even if "activity" means only URLs + unique IDs --- which doesn't seem to be a natural reading of "activity"---the DAA text would cover not just the activity itself, but also all data that are, or can be, can be associated with the activity.
>  
> 
> On Wed, Jul 10, 2013 at 3:52 AM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> Activity = “URLs”. 
> IDs = “specific user, user agent, computer, or device”.
>  
> “Activity…linked to a specific user, user agent, computer, or device” = IDs + URLs.
>  
> - Shane
>  
> From: Edward W. Felten [mailto:felten@cs.princeton.edu] 
> Sent: Tuesday, July 09, 2013 10:22 PM
> To: Shane Wiley
> Cc: rob@blaeu.com; Alan Chapell; David Singer; public-tracking@w3.org
> 
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
>  
> The definition in the DAA text is "Tracking is the collection and retention , or use, after a network interaction is complete, of data records that are, or can be, associated with of activity across non-affiliated websites linked to a specific user, user agent computer, or device."
>  
> I don't see anything in that definition that limits it to "IDs + URLs".   It seems to cover "data records that are, or can be, associated with activity ..."
>  
> 
> On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> Rob,
> 
> This definition is too broad and therefore not likely to be implemented.  If we instead focus on tracking as being the association of a unique ID (any source - including digital fingerprints) with web activity (URLs) across non-affiliated sites - we have a foundation upon which we can build a lasting DNT standard (and one that will be implemented and advanced user privacy in a real way).
> 
> Could you please provide examples where you feel the industry definition is too narrow (IDs + URLs)?  This appears to hit right at the very heart of the concept of "online tracking" and hopefully builds a definition by which our activities can be appropriately focused.
> 
> Please keep in mind the technical side of the specification is so easy to game that we should expect rates exceeding 50% to 80% of DNT:1.
> 
> - Shane
> 
> -----Original Message-----
> From: Rob van Eijk [mailto:rob@blaeu.com]
> Sent: Tuesday, July 09, 2013 6:21 AM
> To: Alan Chapell
> Cc: David Singer; public-tracking@w3.org
> Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
> 
> Just to let you know that the DPAs specifically ruled out fingerprinting as an alternative for cookie based tracking in the Berlin Group opinion on Web Tracking and Privacy.
> 
> Keeping a definition technology neutral is fine with me. Wishing fingerprinting is off the radar for DPAs is not a preferred move. It would be wise to include fingerprinting specifically in non-normative text, if a definition has to be part of the standard.
> 
> 
> I am proposing a new tracking defintion and non-normative text:
> 
> Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.
> 
> Non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques.
> 
> 
> Rob
> 
> Alan Chapell schreef op 2013-07-09 14:42:
> > Well put, David. I'm not sure we want to call out digital
> > fingerprinting specifically - technology neutral is best.
> >
> >
> > On 7/9/13 8:04 AM, "David Singer" <singer@apple.com> wrote:
> >
> >>
> >> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com> wrote:
> >>
> >>>
> >>>>>> well, the fingerprint is used as a key to some data storageŠ
> >>>>> What if it isn't?  What if a website collects a fingerprint and
> >>>>> then discards it?  Surely that should still be prohibited.
> >>>> So, during the transaction, the server calculates a fingerprint
> >>>> that's plausibly unique to the user, and then when the transaction
> >>>> is complete, it discards the fingerprint.  It can't now have
> >>>> anything retained that's keyed to that fingerprint, and it can't
> >>>> know if the same user visits again (fingerprint match).  I don't
> >>>> see the point, but I don't see a problem.
> >>>
> >>>
> >>> Fingerprints do in may cases end up in data sets as matching
> >>> identifiers.
> >>
> >> Then data is being retained.
> >>
> >>>
> >>> Even if a fingerprint is discarded, it can facilitate the linking of
> >>> new data to already collected data.
> >>
> >> how?  if I discard the fingerprint (it's not recorded anywhere)Š
> >>
> >>> Therefore, fingerprinting is important to address when DNT:1.
> >>>
> >>> DNT:1 must cover fingerprinting based tracking equal to cookie based
> >>> tracking.
> >>
> >> DNT should cover *tracking*, and we might have comments or notes on
> >> what constitutes tracking, retention, etc., but I think it very
> >> dangerous to talk of specific technologies in the normative text.
> >>
> >>>
> >>>
> >>> David Singer schreef op 2013-07-09 13:05:
> >>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu>
> >>>> wrote:
> >>>>>> that could usefully be made clear (that storing information in a
> >>>>>> cookie that later should come back to you is still 'retaining'.
> >>>>> I'd prefer to focus on privacy properties, not particular
> >>>>> technical implementations.  My concern is not the use of browser
> >>>>> storage.
> >>>>> It's
> >>>>> the information flow from the browser to the website.
> >>>> Sure, my focus is on what information is retained in the sense it
> >>>> is usable by the site(s) after the transaction is over.  Where it
> >>>> is (local, cloud, client, service provider, etc.) are irrelevant.
> >>>>>>> (And what about fingerprinting, where there is no client-side
> >>>>>>> information stored?)
> >>>>>> well, the fingerprint is used as a key to some data storageŠ
> >>>>> What if it isn't?  What if a website collects a fingerprint and
> >>>>> then discards it?  Surely that should still be prohibited.
> >>>> So, during the transaction, the server calculates a fingerprint
> >>>> that's plausibly unique to the user, and then when the transaction
> >>>> is complete, it discards the fingerprint.  It can't now have
> >>>> anything retained that's keyed to that fingerprint, and it can't
> >>>> know if the same user visits again (fingerprint match).  I don't
> >>>> see the point, but I don't see a problem.
> >>>>>>> At any rate, I'm inclined to hold this (constructive!)
> >>>>>>> conversation until we decide a) to have a definition of
> >>>>>>> "tracking" and b) to make that definition normative.
> >>>>>> The june document has such, so we should make sure it's
> >>>>>> watertight.
> >>>>>> that's why I am pressing for specifics. yes, it's helpful.
> >>>>> The June draft definition is de jure normative, but de facto
> >>>>> non-normative since it isn't used anywhere.
> >>>> Indeed, I have CPs to make it used.  It's used by implication but
> >>>> not by the text.
> >>>> David Singer
> >>>> Multimedia and Software Standards, Apple Inc.
> >>
> >> David Singer
> >> Multimedia and Software Standards, Apple Inc.
> >>
> >>
> >>
> 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten 
> 
> 
>  
> -- 
> Edward W. Felten
> Professor of Computer Science and Public Affairs
> Director, Center for Information Technology Policy
> Princeton University                
> 609-258-5906           http://www.cs.princeton.edu/~felten
Received on Wednesday, 10 July 2013 15:01:15 UTC