W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: TPE Handling Out-of-Band Consent (including ISSUE-152)

From: Rob van Eijk <rob@blaeu.com>
Date: Sat, 23 Mar 2013 08:37:37 +0100
To: "Roy T. Fielding" <fielding@gbiv.com>, Justin Brookman <justin@cdt.org>
CC: public-tracking@w3.org
Message-ID: <292a6c40-e552-47b4-9298-c96de9c089d4@email.android.com>

The problem Alex raies is that the pixel technology is not able to talk DNT. Like I said in Berlin when we discussed audience measurement: Nielsen has to innovate. When DNT=1, it has to be meaningful. If your fishnet is not designed to determine whether you have out-of-bad consent, then you shouldn't be fishing.
I remain to be very conserned about this discussion. We have seen this discussion going from an possbile exception to now a deferrence of approach. The underlying problem has been the same: the tracking pixels are invisible, and data from non-panel members gets collected under DNT=1. That is not meaningful to me.

Rob



"Roy T. Fielding" <fielding@gbiv.com> wrote:

>On Mar 22, 2013, at 1:39 PM, Justin Brookman wrote:
>> On 3/22/2013 3:42 PM, Ronan Heffernan wrote:
>>> Responding to a DNT:1 signal with an acknowledgement that a company
>follows DNT, and will abide by the restrictions (and permitted uses)
>therein, is easy.  Responding with real-time lookups of whether OOBC
>exists is quite difficult (in many cases impossible), especially for
>large-scale systems that use CDNs and other distributed processing, and
>systems that do not receive technical information required to perform
>OOBC lookups until after some browsing has already happened.
>> I just don't understand why these concerns hadn't been raised in the
>previous two years of discussions (it is possible they have and I was
>paying less attention to TPE, but if they were, they were resolved to
>the editors' and chairs' satisfaction).  The mandatory response signal
>has been in the TPE for some time now.  I would like to hear from
>others if feedback is effectively impossible for OOB.  In which case,
>that's an argument that we need should get rid of OOB and require
>implementation of the exception mechanism by user agents (something I
>had previously been reluctant to do).
>
>I think Alex raised the issue early on and we simply neglected
>to design for it.  There do exist systems that only *use* collected
>data
>in essentially offline batch processing, so it is reasonable for a site
>to say "we are collecting data for all transactions but will only
>retain
>and use data from users identified as having previously given consent".
>
>I would not suggest using "C" for that.  It is a different answer.
>
>Alternatively, we could just make it part of the "3" definition to
>be that DNT:1 data will not be retained (beyond the minimum period
>allowed for non-processed raw data) unless agreed to separately by
>the user under contract.  That would be consistent with prior consent
>overriding DNT.
>
>And, again, whether or not this meets what the user asked by DNT:1
>depends entirely on the definition of Do Not Track.  If DNT:1 means
>let me browse anonymously, then sites that can't support anonymous
>browsing can't comply with DNT. Panel studies should simply
>require that members in the panel turn off DNT.
>
>OTOH, if DNT:1 means do not follow my activity across non-affiliated
>sites without my prior consent, then it would be sufficient for
>OOB consent sites to implement DNT by stating that the data will be
>deleted within X hours if it does not correspond to a user that has
>consented.
>
>....Roy
Received on Saturday, 23 March 2013 07:38:34 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC