- From: Rob van Eijk <rob@blaeu.com>
- Date: Thu, 11 Jul 2013 14:12:09 +0200
- To: Shane Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <68080091-e24b-4518-abe5-93b8d2c4dbb4@email.android.com>
Hi Shane, I am operating under a broader definition of tracking. The change proposal is on the wiki for public record. As a result I think aggregated scoring should be included within the scope of tracking. Leaving aside the challenge to become legally compliant in the EU, when performing interest based (re)targeted advertising, there is a window of opportunity now to include privacy by design in the way forward. If implemented with effective privacy by design choices, it may well be that the Yahoo! scoring algorithm passes the test in aggregating from Red to Green. As indicated during the call, data retention in the Yellow may be your golden key here. But that would bring us into a discussion on a permitted use for aggregated scoring, similar to the discussion we are having on audience measurement. The discussion would have to hit elements like purpose limitation, proportionality, data retention and other crucial data protection principles. The technical challenge is to convert data about an individual to data about an object. I am not sure however how to prevent data about an object being turned into data about a person again when the purpose is to serve interest based (re)targeted ads. As Paul Ohm indicated earlier today, the cookie is stored in the browser, and is send with every request connected to the cookie domain. As indicated in the Berlin Group paper, it is the user who buys the proverbial pair of red shoes. It is for that reason that in the discussion on audience measurement, the application of the measurement data to an individual has been flagged as not allowed. I do recognize the sentiment for change that shows in your proposal. Based on the proposal that is up for call for objection this Friday the definition causes a big problem. I hope you (and industry) are willing to plunge into the deep here, instead of getting cold feet by narrowing the scope of what should be considered to be tracking. mvg::Rob Shane Wiley <wileys@yahoo-inc.com> wrote: Shane Wiley <wileys@yahoo-inc.com> wrote: >Rob, > >While I disagree with your opinion, I deeply respect your perspective >so please help me understand where you see the definition for Tracking >not working in these cases. Once we define “Tracking” and our focus is >“Do Not Track”, I see it as a logical test to look at company >activities in this light and determine is a particular practice >“Tracking” or “Not Tracking” – hence my use of these terms. > >- Shane > >From: Rob van Eijk [mailto:rob@blaeu.com] >Sent: Thursday, July 11, 2013 10:58 AM >To: Shane Wiley; public-tracking@w3.org >Subject: RE: Initial Work Plan on Change Proposals, including for next >Wednesday > > >Shane, > >Your definition of tracking remains inadequate IMHO. > >Especially since your reasoning for aggregated scoring is based on 'not >tracking'. In that way you use your definition to create a leverage >with 'not retaining', to put the data practice of interest based >behavioural advertising out of scope. > >Your answer suggest that I should look at the means first (hashed >pseudonyms) in order to figure out whether it is subject to DNT and >de-identification, whereas it is easy (for me at least) to confuse this >case with targeted advertising which is based on a compare and not >retaining information. > >mvg::Rob > > >Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote: >Rob, > > >Aggregate Scoring and De-Identification are two very different things. >Your email highlighted that “hashed pseudoymns” could become linkable – >this is part of the de-identification discussion, not aggregate >scoring. Your most recent email now crosses over to Aggregate Scoring >which I agree is considered “not tracking”. > > >- Shane > > >From: Rob van Eijk [mailto:rob@blaeu.com] >Sent: Thursday, July 11, 2013 10:26 AM >To: Shane Wiley; public-tracking@w3.org<mailto:public-tracking@w3.org> >Subject: RE: Initial Work Plan on Change Proposals, including for next >Wednesday > > > >Shane, you are confusing me. As I understood from yesterday, under the >strict definition of tracking, this example would most likely qualify >as 'not tracking'. Where do we disconnect? > >Rob >Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote: >Rob, > > >In this example, Twitter is purposely allowing for mapping between >hashed identifiers whereas in the industry proposal this is expressly >prohibited and will require a combination of technical, operational, >and administrative controls to develop a level of reasonable confidence >this process cannot be reverse engineered. > > >- Shane > > >From: Rob van Eijk [mailto:rob@blaeu.com] >Sent: Wednesday, July 03, 2013 8:26 PM >To: public-tracking@w3.org<mailto:public-tracking@w3.org> >Subject: Re: Initial Work Plan on Change Proposals, including for next >Wednesday > > > >Example of the linkability of hashed pseudonyms: >https://blog.twitter.com/2013/experimenting-with-new-ways-to-tailor-ads, >a nice use case that shows that the definition of de-identified in the >DAA proposal may cause problems. > >Rob >Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote: > >Peter, > >We have gotten to the point that the only logical and responsible way >forward IMHO is to task industry to chop up the DAA proposal into >change proposals and include these in the wiki that Nick painstakingly >kept up to date. > >Next week, I hope that the group will want to dive deeper into the >discussion on de-identification, when Shane and Dan are back. Dan put >out a reasonable request on the mailing list, after having put in a lot >of work on the topic of de-identification. > >Rob >Dan Auerbach <dan@eff.org<mailto:dan@eff.org>> wrote: >Hi Peter and everyone, > >I'm unfortunately on vacation next week and won't be available for this >call. I have given a lot of thought and energy to the de-identification >and unique id issues, so would like the opportunity to further discuss >the following week once I'm back before any decisions are made. I will >catch up with the minutes. I'd love to get to agreement on these >issues, but they are tough and important, so we need to proceed >carefully. > >Below are some quick comments addressing some of your questions: > >On 06/28/2013 02:56 PM, Peter Swire wrote:
Received on Thursday, 11 July 2013 12:12:38 UTC