W3C home > Mailing lists > Public > public-tracking@w3.org > June 2013

June Change Proposal: security and fraud exemption (Issue-24)

From: Lee Tien <tien@eff.org>
Date: Tue, 25 Jun 2013 19:04:42 -0700
Message-Id: <D9A4A65F-B4AE-4202-8125-86006873FBD3@eff.org>
To: "public-tracking@w3.org public-tracking@w3.org" <public-tracking@w3.org>
The EFF/Mozilla/Stanford proposal originally proposed:

"A third party may collect and use protocol information for the detection and prevention of security breaches and fraudulent activity, subject to a six-month retention period. A third party may collect, retain, and use data about a particular user or user agent for the purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent was attempting to commit fraud at the time the data was received. A third party may collect, retain, and use data about a particular user or user agent for the purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent was attempting to breach the party's security at the time the data was received."  

I assume that language is still on the table?

Regardless, I now propose the following, which omits specific retention periods in favor of "only retains so long as necessary" tied to parties' transparency obligations on retention periods (as generally set forth in the June Draft on minimization and transparency).  
 
"I. Fraud Prevention
 
A. Operative Text
 
A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent is presently attempting to commit fraud.  Data may only be retained as long as necessary to mitigate the present threat.
 
B. Non-Normative Discussion
 
When a user meaningfully interacts with third-party content (e.g. clicking an ad), the third party can collect, retain, and use information for fraud prevention.  Third parties can also use protocol logs for fraud prevention.  This exception provides an additional capability to, in certain circumstances, track impressions for fraud prevention.
 
II. Security
 
A. Operative Text
 
A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent is presently attempting to breach the party's security.  Data may only be retained as long as necessary to mitigate the present threat.
 
B. Non-Normative Discussion
 
This exception grants third parties (e.g. advertising networks) some latitude to mitigate security risks. Websites that users store sensitive personal information on (e.g. financial services and webmail) are all first-party; they are able to collect, retain, and use information about all users for security purposes."  


-- 
Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation
815 Eddy Street
San Francisco, CA 94109
(415) 436-9333 x 102 (tel)
(415) 436-9993 (fax)
tien@eff.org
Received on Wednesday, 26 June 2013 02:05:09 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:13 UTC