Re: ISSUE-5: Consensus definition of "tracking" for the intro?

On Oct 18, 2013, at 9:33 , Roy T. Fielding <fielding@gbiv.com> wrote:

>> So, concretely, a hidden third-party tracker on a page can remember that you visited that page, or not?  If not, can it remember the nature of the site you visited (it was a guns and ammo kind of site)?  When you made the transaction?  Your IP address, geolocation, local time of day, user-agent, …?
> 
> All of that data is user activity in the first party context.

I was asking specifically about the 3rd party, recording what it gets in, and derived from, the HTTP requests.


>  If the
> third-party tracker observes it, then any of the following will cause
> it to be tracking under this definition:
> 
>  1) the third party observes the user's browsing activity in any
>     other context, including one where it is the first party;
> 
>  2) the data is provided to anyone other than the first party and
>     they combine it with observations obtained from any other context.
> 
> This is analogous to walking down the street, seeing a person with
> an unusual t-shirt, saying Hi, and continuing on with your walk.
> If you don't see that person again (or at least don't recognize
> them in a different shirt), then it cannot be tracking.  If you
> do see them again, at the same location, then it still isn't tracking.
> If, however, you see and recognize them again in a different location
> and choose to remember that fact, then you have tracked them.

Tracking only happens the 2nd and subsequent times??

> 
>> This seems to permit the accumulation, by third parties, of a lot of data about the user, and I am unsure if that's your intent, or it's accidental, or a misread on my part.
> 
> Yes, a third party can learn the data provided by the user agent in
> a specific context.  The immediate example of that is contextual
> advertising, which we already agreed is not tracking.

That's not learning, that's using the data in the transaction itself.

> 
> Note, however, that all of your examples assume that they also know
> who "you" is.  Why do you think the third party would know that
> information?

I tend to provide an IP address and other distinguishing data, such as a fingerprint, in transactions.  The third party could have cookied me the first time, too.

> If they are relying on any other information, from any
> other source, that has the effect of identifying you, then they are
> already tracking according to that definition.
> 
>>> The reason it is there is because
>>> the verb tracking and the privacy concern we are trying to address
>>> are both about identifying the trail of an individual as they
>>> proceed from place to place.  Specifically, remembering that a
>>> person was at a single place is not tracking unless that memory
>>> is shared with someone else or combined with memories of other
>>> places.
>> 
>> But the next and subsequent times I visit a site that has the same third-party tracker on it, and they are allowed to remember some data that's associated with me, how is it NOT forming a trail?
> 
> Because it is the same context.  The fact that a given user agent
> visited the same site more than once is not a privacy concern if
> the third party doesn't know anything else about the user.

No, I visit two DIFFERENT sites with the SAME 3rd party tracker.  What is that 3rd party allowed to remember under your definition?  What is NOT tracking data?

Saying the 2nd transaction is tracking is double-speak; I don't know it's the 2nd unless I can correlate it with the first.


David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 5 November 2013 08:58:02 UTC