Re: change proposals from Nicholas Doty on 2013-06-29 (public-tracking@w3.org from June 2013)

From: Nicholas Doty <npdoty@w3.org>
Date: Sat, 29 Jun 2013 11:52:49 -0700
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: <public-tracking@w3.org>
Message-Id: <1F142D9D-E21F-4CFF-BFB1-D69261CB44F6@w3.org>
Hi Mike,

There are a lot of changes here; I've done my best to categorize them appropriately.

On Jun 20, 2013, at 2:21 PM, Mike O'Neill <michael.oneill@baycloud.com> wrote:

> 1. Scope
>  
> Replace the term user-granted exception with user-granted tracking consent throughout the document.
>  
> Justification.
>  
> The word exception has a particular meaning in the context of software program flow and will be confusing here particularly when JavaScript issues are discussed. It is also not always an exception to a DNT general preference because it can be specified when the general preference is unset.

We might consider this simply editorial, but since it would be a significant change across both documents, and out of caution, I've opened an issue (ISSUE-212) and created a change proposal on the wiki.

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Naming_User_Granted_Exceptions

For what it's worth, I've heard similar requests from potential implementers, with the same pair of reasons.

> 2. Definitions
>  
> In paragraph 5 a new item 3.
>  
> 3. has no independent right to use or share the data.
>  
> Justification.
>  
> The current wording is too broad especially when applied to data sharing. It could be read as saying that data could be shared in order for “correct operation” which could be construed to be for almost any purpose. The ability to use a third party for security and integrity etc. is already covered by item 2 “and used as directed by that client”.
> This is important because the use of persistent identifiers in first-party contexts will take over the tracking role from third-party cookies and there will be pressure for them to be shared to support cross-domain tracking.

This may be purely editorial if, as I believe the group has discussed before, "used as directed" could encompass these debugging and security uses. I've added this edit to: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Service_Provider#Proposal:_No_Independent_Right
 
> A new set of definitions for persistent identifiers and duration. The term unique user identifiershould be replaced by persistent identifier throughout the document.
>  
> A persistent identifier is an arbitrary value held in the User-Agent whose purpose is to identify the User-Agent in subsequent transactions to a particular web domain. It may be encoded for example as the name or value attribute of an HTTP cookie, as an item in localStorage or recorded in some way in the cache.
>  
> The duration of a persistent  identifier is the maximum period of time it will be retained in the User-Agent. This could be implemented for example using the Expires or Max-Age attributes of an HTTP cookie so that it is automatically deleted by the User-Agent after the specified time period is exceeded.

Added to: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Unique_Identifiers

>  Justification.
>  
> The original name in the TPC was persistent identifier which is a better term, though it still needs defining. An identifier may not need to be unique in order for it to be used for tracking, but it would have to be persistent. We should qualify permitted uses so the duration of any persistent identifiers is purpose limited.

This also connects to the duration requirement suggested on identifiers in the permitted uses section (which you describe below), collected at:
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Retention_Permitted_Uses

> A new paragraph 3.
>  
> A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent, or another default preference is needed in order to comply with applicable laws, regulations and judicial processes.
>  
> Justification.
>  
> The original wording in the TPE, allowing the choice of a privacy oriented user-agent, was better so why lose it, and it is possible that rights-based jurisdictions like the EU with an assumed right to privacy may require user-agents be supplied with DNT set by default.

It sounds like you're supportive of Justin's proposal that the group reply on the full wording in the TPE; so I've added a link to your message to that proposal on the wiki. If you have a distinct proposal, feel free to distinguish.

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_User_Agent_Compliance#Mirror_TPE_language

> In paragraph 4. Remove MUST ensure that the tracking preference choices describe the parties to whom DNT applies
>  
> Justification.
>  
> This is unclear. If it is about the difference between first and third parties then it is irrelevant in Europe.

Perhaps the confusion is over the wording; that DNT applies to all parties but has different requirements for different parties or within different contexts. Is that right? Or are you proposing that UAs not be required to describe anything about parties/contexts in describing DNT?

> 4. First Party Compliance
>  
> Replace sentence 1 to paragraph 1 with:
> If a first party receives a DNT:1 signal it may react to it as if it were a third-party as described in section 5 below, for example in order to comply with applicable laws, regulations and judicial processes. Otherwise it MAY engage in its normal collection and use of information.
>  
> Remove paragraph 3.
>  
> Justification.
>  
> First-parties may be required to follow third-party procedures, or may elect to off their own bat.

Apologies, I don't understand this change. You want to change the ordering so that the "MAY follow third-party practices" is first and the "MAY engage in its normal" is last? Or is there a substantive change here?

> Third Party Compliance: Remove  paragraphs 5 and 7.
>  
> Justification.
>  
> No data should be collected when DNT is set unless it is for a permitted use. If “and otherwise be linked to” ends up being removed from the definition of de-identified data then this could create a gaping hole in the standard.

Per Thomas's question, is this just a question about the definition of de-identified? Or a change such that de-identified data cannot be collected?


>  5.1.2 Data Minimisation, Retention and Transparency
>  
> New paragraph 4.
>  
> If persistent identifiers are used then their duration should be limited to the maximum necessary for such permitted use.
>  
> Justification.
>  
> If a permitted use requires a persistent identifier then it does not need to exist beyond the purpose of the permitted use. For example if it is necessary to detect unique visitors for frequency capping the duration could be no more than some number of minutes.

Added to http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Retention_Permitted_Uses

> 5.2 Permitted Uses
>  
> Add a new paragraph 5.
>  
> If a persistent identifier is required for any permitted use, for example in order to identify a unique visitor for billing or frequency capping purposes,  the duration of the persistent identifier should be limited to the maximum necessary  for such permitted use.
>  
> Justification.
>  
> Same as above.

I believe the general requirement for permitted uses is the correct place for this change; if adopted, we wouldn't need to repeat it in the Permitted Uses section as well.

I'm forwarding the other change proposals (which I believe Thomas had identified as editorial) to the editors in case they can resolve them simply by cleaning up language.

Thanks,
Nick
Received on Saturday, 29 June 2013 18:52:48 UTC