W3C home > Mailing lists > Public > public-tracking@w3.org > July 2013

Re: June Change Proposal: Definition of Tracking (ISSUE-5)

From: Peter Cranstone <peter.cranstone@3pmobile.com>
Date: Wed, 10 Jul 2013 15:05:46 +0000
To: Lee Tien <tien@eff.org>, Shane Wiley <wileys@yahoo-inc.com>
CC: "Edward W. Felten" <felten@cs.princeton.edu>, "<public-tracking@w3.org>" <public-tracking@w3.org>
Message-ID: <CE02D44F.17EB%peter.cranstone@3pmobile.com>
Sure… just use REST and add the data after the ?




Peter


From: Lee Tien <tien@eff.org<mailto:tien@eff.org>>
Date: Wednesday, July 10, 2013 9:00 AM
To: Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
Cc: "Edward W. Felten" <felten@cs.princeton.edu<mailto:felten@cs.princeton.edu>>, "<public-tracking@w3.org<mailto:public-tracking@w3.org>>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Wednesday, July 10, 2013 9:01 AM

That's part of my confusion as a non-technical guy.  Time/date is data that matters.  So is location.  Are they part of ID/URL?

Lee

Sent from my iPhone

On Jul 10, 2013, at 5:42 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:

Ed,

I believe there is concern on the industry side that activity can be OVERLY interpreted as well and therefore we feel it’s important to provide a bit of guidance of what this means in normative text.  Perhaps we simply define “Activity” as well.

- Shane

From: Edward W. Felten [mailto:felten@cs.princeton.edu]
Sent: Wednesday, July 10, 2013 1:36 PM
To: Shane Wiley
Cc: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)

If these are only simplifications for discussion, then it would make sense to move them to non-normative text, rather than including them in the definition.   Otherwise readers of the spec might think that the covered data and activity is limited to URLs plus unique IDs.

On Wed, Jul 10, 2013 at 8:28 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
Even form posts are logged as pseudo URLs in a web server log but I generally agree with you - and DNT should cover all of these use cases – we’re only using URLs as a simplification mechanism for discussion.

- Shane

From: Edward W. Felten [mailto:felten@CS.Princeton.EDU<mailto:felten@CS.Princeton.EDU>]
Sent: Wednesday, July 10, 2013 1:25 PM
To: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Fwd: June Change Proposal: Definition of Tracking (ISSUE-5)

[Sorry, meant to send this to the list.]
---------- Forwarded message ----------
From: Edward W. Felten <felten@cs.princeton.edu<mailto:felten@cs.princeton.edu>>
Date: Wed, Jul 10, 2013 at 8:24 AM
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
To: Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>>
It's not true that this information is always sent as part of a URL.    It is sometimes sent via a non-URL transfer mechanism in HTTP (e.g. the message body of an HTTP POST) or via a non-HTTP protocol.

There are plenty of ways for client-side code to transmit tracking information back to a server besides putting the information in a URL.



On Wed, Jul 10, 2013 at 8:09 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
Ed,

Those additional calls are still expressed a web server requests for logging – aka URLs – hence our simplification to URLs to speed discussion within the group.

- Shane

From: Edward W. Felten [mailto:felten@cs.princeton.edu<mailto:felten@cs.princeton.edu>]
Sent: Wednesday, July 10, 2013 1:05 PM
To: Shane Wiley

Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)

Sites have other ways of observing user activity, such as via calls to client-side Javascript APIs.   They also associate additional information, possibly from other sources, with the user and/or the activity.

The DAA definition covers "data records that are, or can be, associated with activity ..."


On Wed, Jul 10, 2013 at 7:43 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
Ed – a web server receives an HTTP request (activity) in the form of a URL (may carry a query string argument) along with header information (such as technographics).  What other “activity” are you envisioned is associated with that event?

- Shane

From: Edward W. Felten [mailto:felten@cs.princeton.edu<mailto:felten@cs.princeton.edu>]
Sent: Wednesday, July 10, 2013 12:36 PM

To: Shane Wiley
Cc: rob@blaeu.com<mailto:rob@blaeu.com>; Alan Chapell; David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)

My question was about the DAA text "data records that are, or can be, associated with activity ..."   Even if "activity" means only URLs + unique IDs --- which doesn't seem to be a natural reading of "activity"---the DAA text would cover not just the activity itself, but also all data that are, or can be, can be associated with the activity.

On Wed, Jul 10, 2013 at 3:52 AM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
Activity = “URLs”.
IDs = “specific user, user agent, computer, or device”.

“Activity…linked to a specific user, user agent, computer, or device” = IDs + URLs.

- Shane

From: Edward W. Felten [mailto:felten@cs.princeton.edu<mailto:felten@cs.princeton.edu>]
Sent: Tuesday, July 09, 2013 10:22 PM
To: Shane Wiley
Cc: rob@blaeu.com<mailto:rob@blaeu.com>; Alan Chapell; David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>

Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)

The definition in the DAA text is "Tracking is the collection and retention , or use, after a network interaction is complete, of data records that are, or can be, associated with of activity across non-affiliated websites linked to a specific user, user agent computer, or device."

I don't see anything in that definition that limits it to "IDs + URLs".   It seems to cover "data records that are, or can be, associated with activity ..."

On Tue, Jul 9, 2013 at 2:24 PM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
Rob,

This definition is too broad and therefore not likely to be implemented.  If we instead focus on tracking as being the association of a unique ID (any source - including digital fingerprints) with web activity (URLs) across non-affiliated sites - we have a foundation upon which we can build a lasting DNT standard (and one that will be implemented and advanced user privacy in a real way).

Could you please provide examples where you feel the industry definition is too narrow (IDs + URLs)?  This appears to hit right at the very heart of the concept of "online tracking" and hopefully builds a definition by which our activities can be appropriately focused.

Please keep in mind the technical side of the specification is so easy to game that we should expect rates exceeding 50% to 80% of DNT:1.

- Shane

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com<mailto:rob@blaeu.com>]
Sent: Tuesday, July 09, 2013 6:21 AM
To: Alan Chapell
Cc: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)
Just to let you know that the DPAs specifically ruled out fingerprinting as an alternative for cookie based tracking in the Berlin Group opinion on Web Tracking and Privacy.

Keeping a definition technology neutral is fine with me. Wishing fingerprinting is off the radar for DPAs is not a preferred move. It would be wise to include fingerprinting specifically in non-normative text, if a definition has to be part of the standard.


I am proposing a new tracking defintion and non-normative text:

Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.

Non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques.


Rob

Alan Chapell schreef op 2013-07-09 14:42:
> Well put, David. I'm not sure we want to call out digital
> fingerprinting specifically - technology neutral is best.
>
>
> On 7/9/13 8:04 AM, "David Singer" <singer@apple.com<mailto:singer@apple.com>> wrote:
>
>>
>> On Jul 9, 2013, at 12:33 , Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote:
>>
>>>
>>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>>> What if it isn't?  What if a website collects a fingerprint and
>>>>> then discards it?  Surely that should still be prohibited.
>>>> So, during the transaction, the server calculates a fingerprint
>>>> that's plausibly unique to the user, and then when the transaction
>>>> is complete, it discards the fingerprint.  It can't now have
>>>> anything retained that's keyed to that fingerprint, and it can't
>>>> know if the same user visits again (fingerprint match).  I don't
>>>> see the point, but I don't see a problem.
>>>
>>>
>>> Fingerprints do in may cases end up in data sets as matching
>>> identifiers.
>>
>> Then data is being retained.
>>
>>>
>>> Even if a fingerprint is discarded, it can facilitate the linking of
>>> new data to already collected data.
>>
>> how?  if I discard the fingerprint (it's not recorded anywhere)Š
>>
>>> Therefore, fingerprinting is important to address when DNT:1.
>>>
>>> DNT:1 must cover fingerprinting based tracking equal to cookie based
>>> tracking.
>>
>> DNT should cover *tracking*, and we might have comments or notes on
>> what constitutes tracking, retention, etc., but I think it very
>> dangerous to talk of specific technologies in the normative text.
>>
>>>
>>>
>>> David Singer schreef op 2013-07-09 13:05:
>>>> On Jul 8, 2013, at 20:46 , Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>>
>>>> wrote:
>>>>>> that could usefully be made clear (that storing information in a
>>>>>> cookie that later should come back to you is still 'retaining'.
>>>>> I'd prefer to focus on privacy properties, not particular
>>>>> technical implementations.  My concern is not the use of browser
>>>>> storage.
>>>>> It's
>>>>> the information flow from the browser to the website.
>>>> Sure, my focus is on what information is retained in the sense it
>>>> is usable by the site(s) after the transaction is over.  Where it
>>>> is (local, cloud, client, service provider, etc.) are irrelevant.
>>>>>>> (And what about fingerprinting, where there is no client-side
>>>>>>> information stored?)
>>>>>> well, the fingerprint is used as a key to some data storageŠ
>>>>> What if it isn't?  What if a website collects a fingerprint and
>>>>> then discards it?  Surely that should still be prohibited.
>>>> So, during the transaction, the server calculates a fingerprint
>>>> that's plausibly unique to the user, and then when the transaction
>>>> is complete, it discards the fingerprint.  It can't now have
>>>> anything retained that's keyed to that fingerprint, and it can't
>>>> know if the same user visits again (fingerprint match).  I don't
>>>> see the point, but I don't see a problem.
>>>>>>> At any rate, I'm inclined to hold this (constructive!)
>>>>>>> conversation until we decide a) to have a definition of
>>>>>>> "tracking" and b) to make that definition normative.
>>>>>> The june document has such, so we should make sure it's
>>>>>> watertight.
>>>>>> that's why I am pressing for specifics. yes, it's helpful.
>>>>> The June draft definition is de jure normative, but de facto
>>>>> non-normative since it isn't used anywhere.
>>>> Indeed, I have CPs to make it used.  It's used by implication but
>>>> not by the text.
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>>
>>
>>



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906<tel:609-258-5906>           http://www.cs.princeton.edu/~felten



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906<tel:609-258-5906>           http://www.cs.princeton.edu/~felten



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906<tel:609-258-5906>           http://www.cs.princeton.edu/~felten



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906<tel:609-258-5906>           http://www.cs.princeton.edu/~felten



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906<tel:609-258-5906>           http://www.cs.princeton.edu/~felten



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906           http://www.cs.princeton.edu/~felten
Received on Wednesday, 10 July 2013 15:06:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:52 UTC