Re: DNT:1 and "data append" from Alan Chapell on 2013-03-28 (public-tracking@w3.org from March 2013)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Thu, 28 Mar 2013 11:13:00 -0400
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CD79D46D.2DFB5%achapell@chapellassociates.com>
Thanks John. I think conceptually, we're on the same page. The approach
below requires consensus on the terms "provided voluntary" and "business
transaction". 

For example, is serving targeted advertising and content a "business
transaction" or are we limiting this to more financial transactions such as
renewing a content subscription or purchasing goods? Perhaps that can be
clarified via non-normative language.

Or perhaps your language gets added to other data append proposals?

Who  other than you and Aleecia  are submitting proposals? And what is the
ETA?

Normative:

When DNT:1 is received:
-- A 1st Party MUST NOT share share identifiable data with another party
unless the data was provided voluntarily by the user and is necessary to
complete a business transaction with the user.
-- A 1st Party MUST NOT combine identifiable data from another party with
data it has collected while a 1st Party.

From:  John Simpson <john@consumerwatchdog.org>
Date:  Wednesday, March 27, 2013 3:27 PM
To:  Alan Chapell <achapell@chapellassociates.com>
Cc:  Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org
(public-tracking@w3.org)" <public-tracking@w3.org>
Subject:  Re: DNT:1 and "data append"

> Alan,
> 
> I completely agree with your analysis and believe language I suggested makes
> that clear.  I understand others are working on data append text and hope my
> text could be merged with that.  Again, here is my proposed text:
> 
> Normative:
> 
> When DNT:1 is received:
> -- A 1st Party MUST NOT share share identifiable data with another party
> unless the data was provided voluntarily by the user and is necessary to
> complete a business transaction with the user.
> -- A 1st Party MUST NOT combine identifiable data from another party with data
> it has collected while a 1st Party.
> 
> Cheers,
> John
> 
> On Mar 27, 2013, at 7:20 AM, Alan Chapell <achapell@chapellassociates.com>
> wrote:
> 
>> Yes, the DNT HTTP header is an expression about an online transaction.
>> When DNT is enacted, an online transaction can't be tailored by a profile.
>> Whether that profile was derived from 1) a URL string across multiple
>> website visits or 2) an offline database should not matter. A User seeking
>> not to be tracked while online is unlikely to be able to make such
>> distinctions - and neither should we.
>> 
>> 
>> 
>> 
>> On 3/27/13 1:26 AM, "Nicholas Doty" <npdoty@w3.org> wrote:
>> 
>>> On Mar 25, 2013, at 12:34 PM, Alan Chapell
>>> <achapell@chapellassociates.com> wrote:
>>> 
>>>> Thanks David. Perhaps this will help clarify where some of the confusion
>>>> lay. In any event, I look forward to discussing further on Wednesday.
>>>> 
>>>> On 3/21/13 3:16 PM, "David Singer" <singer@apple.com> wrote:
>>>> 
>>>>> I remain somewhat puzzled by this discussion.  Let's see if I can
>>>>> explain
>>>>> my puzzlement, and maybe the answers will help shed light.
>>>>> 
>>>>> DNT is an expression about privacy in an online transaction (between a
>>>>> user and their user-agent, and a server, over HTTP or similar
>>>>> protocols).
>>>> 
>>>> I recognize that this is the position of some in the group.
>>> 
>>> Is there disagreement on this part of David's summary? The DNT HTTP
>>> header is quite directly an expression about a particular online
>>> transaction. The group agreed very early on to make the expression apply
>>> to that particular request (which an HTTP header is well-suited for) and
>>> not to imply, for example, retroactive deletion.
>>> 
>>>> It's worth
>>>> noting that this is not how DNT is described in the charter. The charter
>>>> describes DNT as a "preference expression mechanism ("Do Not Track") and
>>>> technologies for selectively allowing or blocking tracking elements."
>>>> 
>>>> I note that we have chosen not to define tracking or "tracking elements"
>>>> in this working group, which may be a reason for some of the confusion.
>>> 
>>> To provide some context, the text in the charter "selectively allowing or
>>> blocking tracking elements" referred to formats for determining white and
>>> black listing for blocking purposes; we did some early work on the
>>> Tracking Selection Lists specification, working from a submission from
>>> Microsoft. The group has subsequently decided to stop work on those
>>> deliverables, with the preference for not working on formats that would
>>> enable blocking.
>>> 
>>> While "Do Not Track" in the press or in the terms of some companies has
>>> been used to refer to almost any privacy or blocking measure, we have
>>> used it here (and the charter follows this convention) to refer to the
>>> preference expression mechanism -- where you express the preference "Do
>>> Not Track" -- and not to blocking mechanisms, even though lists for
>>> selectively blocking HTTP requests were also in scope of the Tracking
>>> Protection Working Group.
>>> 
>>> Hope this provides some clarity,
>>> Nick
>>> 
>> 
>> 
>
Received on Thursday, 28 March 2013 15:16:30 UTC