- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 6 Nov 2013 17:13:18 -0800
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "David Singer" <singer@apple.com>, <public-tracking@w3.org>
On Nov 6, 2013, at 1:24 PM, Mike O'Neill wrote: >> It isn't necessary to think about tracking in terms of identifiers. >> The mechanism is irrelevant to what the user is requesting. > > In order to track, the user or their traces need to be recognised. Faces, footprints and cookie ids are all identifiers. Tracking is impossible without them and they are intrinsic. The user wants the activity to stop so they do not want anyone to keep a record of their identifiers (in general). You are confusing cause and effect. The user wants no tracking for this request and no use of data obtained from past tracking. The user doesn't care whether that tracking is via identifiers, algorithms that produce identifiers, or Minbari telepaths. If we focus too much on the mechanisms, we don't accurately reflect the user's preference. >> Yes, that is "retention, use, or sharing of data derived from that activity outside the context in which it occurred." > > But the various data items to be combined exist simultaneously within a context. Perhaps, but that isn't the context being referred to here. We are talking about the context in which the user's activity occurred. What we are saying here is that it is not tracking when a particular user's activity within a single context is only observable in that context and only usable (for personalization, etc.) within that same context: the context in which the activity occurred. In vaguely EU terms, this is similar to the expected scope of a user's implied consent when intentionally using a first party site, but I am saying it in a way that does not assume a specific agreement on the boundaries of a context (e.g., not restricted to same-origin, domain owner, or some specific variation on same branding) and does not require the user to know who owns the context (not dependent on party, first/third, service provider, etc.). I am trying to capture the user's intent without mapping that onto an assumed compliance regime. > Is it the derivation "outside the context" of the data or the sharing/retention/use of it which is not being permitted? This is not about permitting or not permitting anything. It simply categorizes when a particular user would believe that they are being tracked from one service to another (not-same) service, as opposed to simply being provided a personalized service using only the data held by (or on behalf of) that one service. ....Roy
Received on Thursday, 7 November 2013 01:13:42 UTC