RE: ISSUE-198: Define new word for yellow state due to the fact that the process of de-identification spans all three states (red,yellow and green).

John,

With the inability to manage legitimate DNT:1 signals, this was a proposed concession point.  If DNT:1 signals can be technically structured such that Servers have confidence they were actually turned on by users, then I believe we could go back to equating DNT:1 to the industry opt-out program.  Today the volume of non-browser, non-user activated DNT signals is growing at an alarming rate.  The cost of adding DNT:1 to the header is very inexpensive from a technical perspective (13 lines of code for Sid to initially add this to Firefox) and it offers that product the ability to now they are "privacy protective" (browser add-ons, toolbars, anti-virus vendors, access points and routers, network intermediaries, firewalls, etc.).  To use Matthias's phrase, we're seeing a proliferation of DNT signals "spraying" into the ecosystem.  I'm still hopeful solutions can be found to contain the issue otherwise we should expect to see a world of DNT:1 rates exceed 80-90% (trend line guesstimate - levels are not there today) with a real question of which ones are or are not legitimate.

- Shane

-----Original Message-----
From: John Simpson [mailto:john@consumerwatchdog.org] 
Sent: Wednesday, May 15, 2013 3:56 PM
To: Shane Wiley
Cc: rob@blaeu.com; Mike O'Neill; 'Tracking Protection Working Group'
Subject: Re: ISSUE-198: Define new word for yellow state due to the fact that the process of de-identification spans all three states (red,yellow and green).

Shane,

Maybe it's getting toward the end of the day, or I'm particularly dense today.  Are you saying you'd target ads to users with DNT:1 enabled, but that they could prevent this by taking an additional step and go to the AdChoices/Opt-out program?

Thanks,
John



On May 15, 2013, at 3:39 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:

> Rob,
> 
> Agree - the goal of the "middle state" is to find that middle place where data is not able to be used to modify a specific user's experience and still be able to have business value in the data for analytics/reporting.  I do want to call out that in the first stage, the updated proposal does carry an "Aggregate Scoring" element where knowledge of a cookie ID can be assembled (interest in Autos score = 2) and the raw data no longer accessible.  This divorces the ID from the URL such that the users actual web activity cannot be untangled from the aggregated score.  In this case, the current AdChoices/Opt-Out program would halt that activity.
> 
> As far as new names, I'll keep thinking about this one but "Disconnected" data may be an acceptable one.  
> 
> - Shane
> 
> -----Original Message-----
> From: Rob van Eijk [mailto:rob@blaeu.com]
> Sent: Wednesday, May 15, 2013 2:51 PM
> To: Shane Wiley
> Cc: Mike O'Neill; 'John Simpson'; 'Tracking Protection Working Group'
> Subject: RE: ISSUE-198: Define new word for yellow state due to the fact that the process of de-identification spans all three states (red,yellow and green).
> 
> 
> It is good to acknowledge, that when DNT:1 profiling/targeting must not occur to a computer, user or device. If 'de-identified' means that targeting/profiling can still happen to a unique ID that is attached to a computer or a device, then we need more discussion at a later point in time. In any case, having a new word for 'de-identified' would get us out of this ambiguity for the moment.
> 
> Rob
> 
> Shane Wiley schreef op 2013-05-15 23:23:
>> Mike,
>> 
>> The tri-state de-identification process attempts to solve for a 
>> middle ground such that activity can be collected against a 
>> persistent identifier but that identifier is not able to connect to 
>> devices/users in the real-world so profiling/targeting to an actual 
>> data subject does not occur.  There is some risk in this model so to 
>> further remove that risk a third state is defined that removes the 
>> persistence in identifiers (or removes the identifiers completely) so 
>> there is no/less risk of re-identification.
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
>> Sent: Wednesday, May 15, 2013 2:05 PM
>> To: 'John Simpson'; Shane Wiley
>> Cc: rob@blaeu.com; 'Tracking Protection Working Group'
>> Subject: RE: ISSUE-198: Define new word for yellow state due to the 
>> fact that the process of de-identification spans all three states 
>> (red,yellow and green).
>> 
>> I think these multi-coloured data types are really a red herring.
>> 
>> The reality is that tracking, aka collecting someone's web history 
>> over time and across multiple domains, needs a unique identifier 
>> somehow stored in the UA or it uses the IP address. Currently, in the 
>> vast majority of cases, the identifier is encoded in a cookie but it 
>> could also be held in localStorage or the cache (IP addresses are 
>> usually unsuitable because they are often shared with others and 
>> change over time - when IPv6 becomes the norm they will use the 
>> anonymous form and last only a few hours)
>> 
>> Because browsers are increasingly blocking third-party cookies, in 
>> the near future tracking identifiers will be held in localStorage or 
>> in first-party cookies which are then shared with third-parties.
>> 
>> If this identifier has a long persistence, i.e. it lasts for months 
>> or years, then the UA can be recognised on subsequent visits over 
>> that period, i.e. the user's device/browser session is being singled-out.
>> 
>> The data collected may be stripped of immediately identifying 
>> characteristics but it can still be used to determine a single 
>> profiling data point. If the identifier is not deleted or otherwise 
>> limited to a short duration then these data points will be chained 
>> together over time and used to profile the individual.
>> 
>> A Do Not Track signal should be seen as an explicit indication that 
>> the individual requires this not to happen.
>> 
>> Mike
>> 
>> 
>> 
>> -----Original Message-----
>> From: John Simpson [mailto:john@consumerwatchdog.org]
>> Sent: 15 May 2013 20:51
>> To: Shane Wiley
>> Cc: rob@blaeu.com; Tracking Protection Working Group
>> Subject: Re: ISSUE-198: Define new word for yellow state due to the 
>> fact that the process of de-identification spans all three states 
>> (red,yellow and green).
>> 
>> Shane,
>> I'm not sure I follow how raw data equates with pseudonymous data.
>> Could you please point me to definitions you're using so I can better 
>> understand what you mean here.
>> Thanks,
>> John
>> 
>> On May 15, 2013, at 12:40 PM, Shane Wiley <wileys@yahoo-inc.com>
>> wrote:
>> 
>>> Rob,
>>> 
>>> I strongly disagree and believe based on the current definitions of
>> pseudonymous being considered in the EU context, data in the Red area 
>> can meet this definition.  Similarly, yellow data meets the 
>> definition of de-identified in both the FTC and DAA contexts - whereas "Unlinked"
>> is a bit more debatable.
>>> 
>>> So I believe it's still appropriate to define these as:
>>> 
>>> Stage 1:  Raw/Pseudonymous
>>> Stage 2:  De-Identified
>>> Stage 3:  Unlinkable (or simply - Out of Scope)
>>> 
>>> As these terms has highly loaded in the regulatory context there 
>>> will
>> continue to be significant sensitivity to naming conventions here.
>> This is similarly true of the color scheme proposed due to the 
>> immediate traffic light connotations it invokes (green = good, yellow 
>> = caution, red = bad).
>> I was okay (not happy) with using colors in this manner but don't 
>> believe it's fair to over bias the definitions of each phase based on 
>> an overly conservative read of existing definitions.
>>> 
>>> - Shane
>>> 
>>> -----Original Message-----
>>> From: Rob van Eijk [mailto:rob@blaeu.com]
>>> Sent: Wednesday, May 15, 2013 12:03 PM
>>> To: Tracking Protection Working Group
>>> Subject: ISSUE-198: Define new word for yellow state due to the fact 
>>> that
>> the process of de-identification spans all three states (red,yellow 
>> and green).
>>> 
>>> 
>>> Dear group,
>>> 
>>> As discussed at the Face to Face and a previous thread [1], there is
>> confusion on the word de-identified data. We discussed the three 
>> state model, that I introduced in Cambridge. The FTC text defines 
>> unlinkability in terms of de-identification, which makes the term 
>> de-identified applicable for the green state. The DAA text Due to the 
>> fact that the process of de-identification spans up to the green 
>> state when data is considered unlinkable, I would like to propose a 
>> new term for the yellow domain.
>>> 
>>> <text proposal>
>>> 
>>> red data: raw data, event level data yellow data: pseudonumous data 
>>> green data: de-identified data
>>> 
>>> </text proposal>
>>> 
>>> 
>>> [1]
>>> http://lists.w3.org/Archives/Public/public-tracking/2013Mar/0147.htm
>>> l
>>> 
>>> Tracking Protection Working Group Issue Tracker schreef op 
>>> 2013-05-15
>>> 20:47:
>>>> ISSUE-198: Define new word for yellow state due to the fact that 
>>>> the process of de-identification spans all three states (red,yellow 
>>>> and green).
>>>> 
>>>> http://www.w3.org/2011/tracking-protection/track/issues/198
>>>> 
>>>> Raised by:
>>>> On product:
>>> 
> 

Received on Wednesday, 15 May 2013 23:17:11 UTC