W3C home > Mailing lists > Public > public-tracking@w3.org > November 2013

RE: ISSUE-5: Consensus definition of "tracking" for the intro?

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 7 Nov 2013 10:05:15 -0000
To: "'Roy T. Fielding'" <fielding@gbiv.com>
Cc: "'David Singer'" <singer@apple.com>, <public-tracking@w3.org>
Message-ID: <075c01cedba0$db715110$9253f330$@baycloud.com>
Hash: SHA1

> On Nov 6, 2013, at 1:24 PM, Mike O'Neill wrote:
> >> It isn't necessary to think about tracking in terms of identifiers.
> >> The mechanism is irrelevant to what the user is requesting.
> >
> > In order to track, the user or their traces need to be recognised. Faces,
> footprints and cookie ids are all identifiers. Tracking is impossible without them
> and they are intrinsic. The user wants the activity to stop so they do not want
> anyone to keep a record of their identifiers (in general).
> You are confusing cause and effect.  The user wants no tracking
> for this request and no use of data obtained from past tracking.
> The user doesn't care whether that tracking is via identifiers,
> algorithms that produce identifiers, or Minbari telepaths.
> If we focus too much on the mechanisms, we don't accurately
> reflect the user's preference.
[Mike O'Neill] 
Identifiers are not a mechanism, they are a defining feature. Even the Minbari telepath has to discriminate your brain waves from others, even if in a way mysterious to Earthlings.

> >> Yes, that is "retention, use, or sharing of data derived from that activity
> outside the context in which it occurred."
> >
> > But the various data items to be combined  exist simultaneously within a
> context.
> Perhaps, but that isn't the context being referred to here.
> We are talking about the context in which the user's activity
> occurred.  What we are saying here is that it is not tracking
> when a particular user's activity within a single context is only
> observable in that context and only usable (for personalization, etc.)
> within that same context: the context in which the activity occurred.
[Mike O'Neill] 
So then we have to define context to pin down the meaning of Candidate A.

> In vaguely EU terms, this is similar to the expected scope of
> a user's implied consent when intentionally using a first
> party site, but I am saying it in a way that does not assume
> a specific agreement on the boundaries of a context (e.g.,
> not restricted to same-origin, domain owner, or some specific
> variation on same branding) and does not require the user to
> know who owns the context (not dependent on party, first/third,
> service provider, etc.).  I am trying to capture the user's
> intent without mapping that onto an assumed compliance regime.
[Mike O'Neill] 
Then this needs to be made clear.

> > Is it the derivation "outside the context" of the data or the
> sharing/retention/use of it which is not being permitted?
> This is not about permitting or not permitting anything.
> It simply categorizes when a particular user would believe
> that they are being tracked from one service to another
> (not-same) service, as opposed to simply being provided a
> personalized service using only the data held by (or on behalf
> of) that one service.
[Mike O'Neill] 

So are you saying data can be derived, as long as it is not shared?

There's the rub. In order to personalise the service must recognise and so identify you. It must derive this identifiable data "outside the context", retain it, and potentially connect it with other data it has already gathered about you. A database is being built up, and this is obvious to you because your service has been personalised. 

If you have asked for the service, then fine. But not if you have demanded not to be tracked.

Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.1.107.3564 - http://www.gpg4o.de/
Charset: utf-8

Received on Thursday, 7 November 2013 10:05:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:20 UTC