Fwd: Re: ACTION-415 Provide text proposal regarding limitations on using a Potential Consent signal from Matthias Schunter (Intel Corporation) on 2013-06-13 (public-tracking@w3.org from June 2013)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Thu, 13 Jun 2013 10:22:42 +0200
To: Ronan Heffernan <ronansan@gmail.com>
CC: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <51B98152.30704@schunter.org>
Hi Ronan,

Quick question: Do you only need a change in collection/retention time 
to 48h
or would you also require to set a ID cookie?
(i.e., loosely speaking "acting like DNT;0" for 48h and then cleaning up)?

In the latter case (also 48h permission to set cookies), I would need to 
change the proposed text for this permitted use.


Matthias

-------- Original Message --------
Subject:  Re: ACTION-415 Provide text proposal regarding limitations on 
using a Potential Consent signal
Date:  Wed, 12 Jun 2013 16:32:55 -0700
From:  Jonathan Mayer <jmayer@stanford.edu>
To:  Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
CC:  public-tracking@w3.org



Just to remain clear from today's call, I'm not sold on the "P" flag. 
  The technical need appears limited (especially if ID cookies aren't 
allowed for DNT: 1 and no consent), and the risk of abuse seems not 
insignificant.

Jonathan

On Wednesday, June 12, 2013 at 1:54 PM, Matthias Schunter (Intel 
Corporation) wrote:

> Hi Team,
>
>
> as expressed in the call, I would like to ensure that
>  (a) The "P" flag only relaxes the requirements on 
> transparency/notification.
>  (b) The "P" flag does not give you any extra leeway/permisson to 
> collect or track
>
> As a consequence, I suggest to split this text into two orthogonal pieces:
>  (A) A "P" flag that allows delayed notification (without any 
> additional permitted use)
>  (B) A permitted use for keeping data for "48h" (or some other 
> short-term retention).
>
> Text proposals for (A):
>
> Normative: "A tracking status value of P indicates that a site is 
> following third party rules ("3"), except for users who have given 
> prior consent. Unlike /*C*/, the origin server does not know, in 
> real-time, whether it has received prior consent for tracking this 
> user, user agent, or device. Since this status value does not itself 
> indicate whether consent has been received for a specific user, an 
> origin server that sends a |P| tracking status value /must/ provide an 
> |edit 
> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-edit>| member 
> in the corresponding tracking status representation that links to a 
> resource for obtaining consent status."
>
> Non-Normative: The |P| tracking status value is specifically meant to 
> address audience survey systems for which determining consent at the 
> time of a request is either impractical, due to legacy systems not 
> being able to keep up with Web traffic, or potentially "gamed" by 
> first party sites if they can determine which of their users have 
> consented. The data cannot be used for the sake of personalization. If 
> consent can be determined at the time of a request, the |C 
> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-c>|tracking 
> status should be used. *If an origin server subsequently determines 
> that it does not have prior consent to track a user, the origin server 
> may not then disregard the user's DNT:1 signal; rejections of DNT:1 
> signals must be made in real-time, using the tracking status value of 
> D defined in 5.2.8.*
>
>
> Text proposal for (B):
> (SOME FLAG) This permitted use allows third parties to temporarily 
> keep data for 48h. After this time (unless consent has been obtained), 
> the third party compliance rules
>     must be satisfied.
>
>
> Opinions/Feedback?
>
> Matthias
>
>
> On 12/06/2013 17:02, Justin Brookman wrote:
>>
>>
>>         I propose to add the bolded sentence to 5.2.7 of the TPE on
>>         Potential Consent.
>>
>>
>>         5.2.7 Potential Consent (P)
>>
>> A tracking status value of P means that the origin server does not 
>> know, in real-time, whether it has received prior consent for 
>> tracking this user, user agent, or device, but promises not to use or 
>> share any |DNT:1| data until such consent has been determined, and 
>> further promises to delete or de-identify within forty-eight hours 
>> any |DNT:1| data received for which such consent has not been received.
>>
>> Since this status value does not itself indicate whether a specific 
>> request is tracked, an origin server that sends a |P| tracking status 
>> value /must/ provide an |edit 
>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-edit>| member 
>> in the corresponding tracking status representation that links to a 
>> resource for obtaining consent status.
>>
>> The |P| tracking status value is specifically meant to address 
>> audience survey systems for which determining consent at the time of 
>> a request is either impractical, due to legacy systems not being able 
>> to keep up with Web traffic, or potentially "gamed" by first party 
>> sites if they can determine which of their users have consented. The 
>> data cannot be used for the sake of personalization. If consent can 
>> be determined at the time of a request, the |C 
>> <http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#dfn-c>|tracking 
>> status is preferred. *If an origin server subsequently determines 
>> that it does not have prior consent to track a user, the origin 
>> server may not then disregard the user's DNT:1 signal; rejections of 
>> DNT:1 signals must be made in real-time, using the tracking status 
>> value of D defined in 5.2.8.*
>>
>
Received on Thursday, 13 June 2013 08:23:07 UTC