- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Tue, 7 May 2013 01:04:06 -0700
- To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <40EF27B1E8884A0E8F2183A6E877A5B3@gmail.com>
Working Group Colleagues, Much of the proposed "framework," as I understand it, is a shorthand synthesis of disparate conversation strands rather than a substantive resolution of unresolved topics. As preparation for this week's meeting, I found it helpful to map the framework against the longstanding and well-documented formal ISSUEs that we all have been working on. I thought others in the group might similarly find the approach productive, so I've shared the mapping below. I've bolded ISSUEs that seemed particularly relevant and frequently discussed. Best, Jonathan > 1. DNT would be honored by third parties that collect tracking data, and these third parties would not collect tracking data on any browser where the consumer has activated the DNT functionality. Third parties could still collect data for the narrow set of permitted uses. For DNT:1 users, if an entity has a permitted basis for collection of such information, the entity can use the data only for the permitted uses.ISSUE-2: What is the meaning of DNT (Do Not Track) header? ISSUE-5: What is the definition of tracking? ISSUE-9: Understand all the different first- and third-party cases. ISSUE-10: What is a first party? ISSUE-16: What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.) ISSUE-17: Data use by 1st Party ISSUE-18: Collection definition (not sure I said the prefix before?) ISSUE-19: Data collection / Data use (3rd party) ISSUE-20: Different types of data, what counts as PII, and what definition of PII ISSUE-22: Still have "operational use" of data (auditing where of where ads are shown, impression tracking, etc.) ISSUE-23: Possible exemption for analytics ISSUE-24: Possible exemption for fraud detection and defense ISSUE-25: Possible exemption for research purposes ISSUE-28: Exception for mandatory legal process ISSUE-30: Will Do Not Track apply to offline aggregating or selling of data? ISSUE-31: Minimization -- to what extent will minimization be required for use of a particular exemption? (conditional exemptions) ISSUE-34: Possible exemption for aggregate analytics ISSUE-36: Should DNT opt-outs distinguish between behavioral targeting and other personalization? ISSUE-39: Tracking of geographic data (however it's determined, or used) ISSUE-49: Third party as first party - is a third party that collects data on behalf of the first party treated the same way as the first party? ISSUE-54: can first parties use declared data while in a 3rd party context? ISSUE-55: What is relationship between behavioral advertising and tracking, subset, different items? ISSUE-64: How do we describe non-identifiable data ISSUE-65: How does logged in and logged out state work ISSUE-71: Does DNT require purging or modifying data collected in the past (not under DNT)? ISSUE-72: Basic principle: independent use as an agent of a first party ISSUE-73: In order for analytics of other contracting to count as first-party: by contract, by technical silo, both silo and contract ISSUE-74: Are surveys out of scope? ISSUE-88: different rules for impression of and interaction with 3rd-party ads/content ISSUE-89: Does DNT mean at a high level: (a) no customization, users are seen for the first time, every time. (b) DNT is about dat moving between sites ISSUE-91: Might want prohibitions on first parties re-selling data to get around the intent of DNT ISSUE-92: If data collection (even very specific with IP address, user agent, referrer) is time-limited, with very limited retention, is that still tracking? ISSUE-97: Re-direction, shortened URLs, click analytics -- what kind of tracking is this? ISSUE-99: How does DNT work with identity providers? ISSUE-103: We're not sure where the exceptions should be and ensure they are categorically captured in the based 3rd party prohibition statements ISSUE-117: Terms: tracking v. cross-site tracking ISSUE-122: Should we have use limitations on referrer data? ISSUE-134: Would we additionally permit logs that are retained for a short enough period? ISSUE-142: How should protocol data be allowed to be used in the first N weeks? ISSUE-154: Are First parties allowed to use data (either offline or online) from third parties ISSUE-169: What do we mean by tracking? ISSUE-170: Definition of and what/whether limitations around data append ISSUE-178: Add "Marketing" to list of permitted uses in Compliance document ISSUE-179: Make sure in the spec that we clarify information provided explicitly by a user (e.g. data typed into a form on a site with a clear privacy policy) is not subject to DNT. ISSUE-180: Add "advertising" as a Permitted Use in the Compliance Document ISSUE-181: Finalize language regarding multiple first parties ISSUE-188: Definition of unlinkable data ISSUE-190: Sites with multiple first parties ISSUE-191: Non-normative Discussion of De-Identification > 2. Non-compliance with DNT would be a DAA violation. > ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)? ISSUE-45: Companies making public commitments with a "regulatory hook" for US legal purposes ISSUE-48: Response from the server should indicate the server will honor it ISSUE-53: How should opt-out cookie and DNT signal interact? ISSUE-56: What if DNT is unspecified and an opt-out cookie is present? ISSUE-58: What if DNT is explicitly set to 0 and an opt-out cookie is present? > 3. The DAA would modify its current codes, notably including the current “market research” and “product development” exceptions to collection limits, including evaluation of potential retention limitation. > ISSUE-22: Still have "operational use" of data (auditing where of where ads are shown, impression tracking, etc.) ISSUE-25: Possible exemption for research purposes > 4. For DNT:1 users, there would be no persistent IDs if there is not a permitted use. The use of persistent IDs for permitted uses would be limited to the extent practical, and any such persistent IDs would be used only for any such permitted use. There would be of a broader study or effort to address data hygiene in the advertising eco-system, with the aim of identifying feasible, privacy-protective practices over time. > > Discussion of unique IDs cuts across many of the ISSUEs under #1. > 5. We would determine a way to have the DAA codes become a way for compliance with the W3C syntax. Thus, the DAA standard with the above modifications would be the working standard for companies. Adapt the W3C standard to conform to this approach. DAA would support and enforce against that. ISSUE-35: How will DNT interact with existing opt-out programs (industry self-reg, other)? > 6. DNT would be off by default. Specific standard on how to implement: > a. Through browsers—this is about browsers and not other user agents. Other user agents (UA) would not set a DNT flag in this round of the W3C work, and would be prohibited from activating a browser’s DNT flag. > b. The browser choice setting would be available in the browser settings panel, accessible from the traditional browser settings—not through an installation process or other similar mechanism. > c. Develop technological measures that, together with non-technological measures, greatly reduce the risk that anyone other than consumers are setting the choice. Develop a process on how to achieve this in a short time frame (3 months). > d. Brief and neutral description of the impact of turning the setting on. The browser choice setting would communicate the following to consumers: > i. The fact that if the browser choice setting is activated it limits collection and use of web viewing data for certain advertising and other purposes; > ii. The fact that when the browser setting is activated some data may still be collected and used for certain purposes and a description of such purposes; and > iii. The fact that if a consumer affirmatively allows a particular business to collect and use information about web viewing activities that the activating the setting will not limit collection and use from such entity. ISSUE-4: What is the default for DNT in client configuration (opt-in or opt-out)? ISSUE-8: How do we enhance transparency and consumer awareness? ISSUE-13: What are the requirements for DNT on apps/native software in addition to browsers? ISSUE-33: Complexity of user choice (are exemptions exposed to users)? ISSUE-41: Consistent way to discuss tracking with users (terminology matters!) ISSUE-42: Feedback to the user from the browser when Do Not Track is turned on ISSUE-95: May an institution or network provider set a tracking preference for a user? ISSUE-104: Could use a better defn of user agent, rather than browser ISSUE-143: Activating a Tracking Preference must require explicit, informed consent from a user ISSUE-144: User-granted Exceptions: Constraints on user agent behavior while granting and for future requests? ISSUE-149: Compliance section for user agents ISSUE-150: DNT conflicts from multiple user agents ISSUE-151: User Agent Requirement: Be able to handle an exception request ISSUE-152: User Agent Compliance: feedback for out-of-band consent ISSUE-153: What are the implications on software that changes requests but does not necessarily initiate them? ISSUE-161: Do we need a tracking status value for partial compliance or rejecting DNT? ISSUE-162: If we have a mechanism for indicating partial compliance, how do we convey to the user why, and what is ISSUE-163: How in the spec should we ensure user agents don't twist a user preference one way or another? ISSUE-172: How should user agents be required to provide information about DNT? ISSUE-176: Requirements on intermediaries/isps and header insertion that might affect tracking ISSUE-177: Should we specify compliance requirements for software and hardware other than user agents? For example, is a web server package compliant if it tweaks DNT headers? ISSUE-186: Ensure that browsers communicate DNT functionality accurately ISSUE-194: How should we ensure consent of users for DNT inputs?
Received on Tuesday, 7 May 2013 08:04:35 UTC