W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

From: David Wainberg <dwainberg@appnexus.com>
Date: Fri, 4 Oct 2013 08:51:06 -0400
Message-ID: <524EB9BA.1040902@appnexus.com>
To: Walter van Holst <walter.van.holst@xs4all.nl>
CC: "public-tracking@w3.org WG" <public-tracking@w3.org>

On 2013-10-04 3:39 AM, Walter van Holst wrote:
> On 03/10/2013 21:16, David Wainberg wrote:
>> Mike,
>>
>> On 2013-10-03 7:20 AM, Mike O'Neill wrote:
>>> If a user sees personalisation when they have explicitly requested not
>>> to be tracked they will assume their wishes are being ignored, and
>>> this will damage the credibility of Do Not Track.
>> I disagree. I realize it will be a challenge to get right, but since
>> users will be educated about what DNT does or does not do before they
>> make the choice to turn it on, they'll understand that any post-DNT:1
>> personalization they're seeing is being done in accordance with the DNT
>> rules, and so with limited data retention. In fact, users could come to
>> understand it as a great benefit: they get the personalization, but
>> without their browsing history being accumulated and retained.
> I rather doubt if that nuance will be caught by users who tend not to
> have an overly sophisticated mental model of how web browsing works. As
> Mike already said: customisation can to a certain extent be achieved
> through low-entropy cookies. Which may not always be easy to get right
> either, but is something that is objectively achievable.
So how much nuance can users take? It sounds like you're saying it's not 
possible to fully inform users of what DNT does.

But I think it's very understandable to users to say, "1) DNT means we 
will not accumulate a dossier of your browsing history online. 2) 
However, we may continue to customize content using privacy techniques 
that do not require a dossier of your browsing history." That's pretty 
simple, no?

>
> Trust is a precious thing and things have to change in order to stop the
> trust in the web being eroded by short term interests. This standard
> must be transparent and understandable to the average user.
Agreed!
>
> To give a few examples:
>
> - Facebook can easily change its like buttons based on a low-entropy
> cookie that indicates that a user is still logged in.
>
> - Facebook can also set a low-entropy cookie qualifying a user in a
> certain market segment or with a certain interest ("likes to travel")
> which would be helpful in its 3rd party context for customisation, but
> not for tracking.
>
> The latter may already be dodgy from a user trust perspective and need a
> lot of education. What you are proposing will be frankly impossible to
> sell to users.
>
> Also, I do distinctly recall you objecting to a free flow of data
> between 1st and 3rd party contexts on anti-competition grounds during
> the Amsterdam F2F.
I have consistently objected to distinctions based on 1st vs 3rd party 
business models that are anti-competitive and not founded on a 
reasonable or rational principle aimed at protecting privacy or that are 
anti-competitive and will not result in a net privacy benefit.

Best,

David
Received on Friday, 4 October 2013 12:51:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC