- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 13 Mar 2013 17:14:57 -0700
- To: Walter van Holst <walter.van.holst@xs4all.nl>
- Cc: public-tracking@w3.org
On Mar 13, 2013, at 1:58 AM, Walter van Holst wrote: > On 3/12/13 4:16 PM, Elizabeth Coker wrote: >> Dear TPWG Members: >> >> I want to direct everyone's attention to this WSJ article >> <http://online.wsj.com/article_email/SB10001424127887324096404578354533010958940-lMyQjAxMTAzMDEwMTExNDEyWj.html> >> that highlights the issues with "first" and "third" parties. Actually, it doesn't. The article is about publicly shared interests and how they reveal something about the users. If the article had removed the mention of Facebook and the Internet, people reading it would have responded "well, duh!" and that would be the end of it. Jeff should know quite well that this is a publicity problem, not a privacy red flag, but I assume he has that quote imprinted on his business card. ;-) We have no right nor responsibility to decide for the user what they choose to publish about their own interests, nor what services that they choose to publish them on. >> While a >> technical standard must be implemented, it should be consistent with >> consumer expectations, not warped into something that continues to >> obfuscate data collection from consumer, publisher and advertiser >> scrutiny. Privacy preference management is typically assumed to be >> between the consumer and the website (or brand) by most people. Only >> highly informed individuals realize that every time they "click" on >> something they could be dealing with a "new" first party and that their >> data may now be collected by some unknown entity – even though their >> intent was not to share, or only to share with the trusted brand or site. > > May I add to this that, although there are no published industry > practices on this matter, data by (relatively) unknown entities is > gathered as a result of merely rendering the website. The vast majority > of individuals do not realise that. > > This study about Facebook 'likes' also highlights the linkability issue. I seem to have failed to make the connection. If you mean that data correlation works, then I think we already know that. Regarding Elizabeth's complaint regarding the definitions, clicking on a Facebook Like button (or a Google+ +1 button) has one and only one meaning to the user: Tell the people permitted by my social network configuration that I like this page, presumably so that they can visit it too. That is the only consumer expectation that matters here. If the user doesn't have a G+ or FB account, they are going to get a message that they need to login to their account. If they do have a G+ or FB account, the action corresponding to the click cannot be accomplished according to the user's expressed wish without the button's action resource collecting the account info and the URL of the page the button was on. While it is theoretically possible for a user to accidentally click such a button, it is not possible for the service to distinguish that from an intentional action, nor is it reasonable to assume that a user with a social networking account has not been sufficiently informed about the purpose and effect of clicking on such a button. Whether they are informed or not is a concern for the FTC, not us. Regardless, there are two obvious solutions: 1) delete the social network account, or 2) stop clicking on the buttons. Control over how data is used occurs within the user's account profile on that first party service (G+ or FB). We have no rational means to presume how that data will be used, to what extent the user is aware of that use, to what extent the service has provided control over that use, or to what extent such an action may or may not result in following the user across sites. Those things are the responsibility of the user and the service which they requested. The service is not tracking the user when the user tells the service where they are and to remember that fact -- it is just performing the action requested. If the user does not like how the data will be used, they are free to choose a different service. Having made that request of a first party to which they have an established relationship, it might make sense to wonder what control the user has over the data that has been submitted. That is a general issue of user rights to information about them, whether that data is private or published, and is addressed by public policy and the specific privacy policy of the service with which the user maintains an account. It is not within the scope of our work aside from the general prohibition of a first party sharing the data from DNT:1 requests with third parties. It may be within the scope of the Privacy Interest Group (i.e., not this mailing list). Once again, this would all be obvious if our drafts started with a reasonable definition of tracking. Furthermore, if we ignore the article's subject and actually talk about tracking across sites, then YES there is no doubt whatsoever that tracking an identifiable individual, via their user agent or device, across multiple unaffiliated websites can eventually result in some form of segmentation (association made between the individual and some set of interests) that the user did not directly reveal to any of the individual first party sites, and in some cases that segmentation won't be false. That is one of the many reasons why this working group exists and why we call collection of data about an individual across multiple sites "tracking" instead of just data collection. All of us would like a working solution that addresses the specific privacy risk that we have been convened to address. If we can just work on the problem we agreed to solve, maybe we'll make some progress. ....Roy
Received on Thursday, 14 March 2013 00:15:24 UTC