W3C home > Mailing lists > Public > public-tracking@w3.org > November 2013

Re: ISSUE-5: Consensus definition of "tracking" for the intro?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 6 Nov 2013 17:13:18 -0800
Cc: "David Singer" <singer@apple.com>, <public-tracking@w3.org>
Message-Id: <AA4478BD-1B5A-46C3-8B3B-2C0EDF4B3B83@gbiv.com>
To: Mike O'Neill <michael.oneill@baycloud.com>
On Nov 6, 2013, at 1:24 PM, Mike O'Neill wrote:

>> It isn't necessary to think about tracking in terms of identifiers.
>> The mechanism is irrelevant to what the user is requesting. 
> 
> In order to track, the user or their traces need to be recognised. Faces, footprints and cookie ids are all identifiers. Tracking is impossible without them and they are intrinsic. The user wants the activity to stop so they do not want anyone to keep a record of their identifiers (in general).

You are confusing cause and effect.  The user wants no tracking
for this request and no use of data obtained from past tracking.
The user doesn't care whether that tracking is via identifiers,
algorithms that produce identifiers, or Minbari telepaths.

If we focus too much on the mechanisms, we don't accurately
reflect the user's preference.

>> Yes, that is "retention, use, or sharing of data derived from that activity outside the context in which it occurred."
> 
> But the various data items to be combined  exist simultaneously within a context.

Perhaps, but that isn't the context being referred to here.
We are talking about the context in which the user's activity
occurred.  What we are saying here is that it is not tracking
when a particular user's activity within a single context is only
observable in that context and only usable (for personalization, etc.)
within that same context: the context in which the activity occurred.

In vaguely EU terms, this is similar to the expected scope of
a user's implied consent when intentionally using a first
party site, but I am saying it in a way that does not assume
a specific agreement on the boundaries of a context (e.g.,
not restricted to same-origin, domain owner, or some specific
variation on same branding) and does not require the user to
know who owns the context (not dependent on party, first/third,
service provider, etc.).  I am trying to capture the user's
intent without mapping that onto an assumed compliance regime.

> Is it the derivation "outside the context" of the data or the sharing/retention/use of it which is not being permitted?

This is not about permitting or not permitting anything.
It simply categorizes when a particular user would believe
that they are being tracked from one service to another
(not-same) service, as opposed to simply being provided a
personalized service using only the data held by (or on behalf
of) that one service.

....Roy
Received on Thursday, 7 November 2013 01:13:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:20 UTC