RE: ISSUE-5: Consensus definition of "tracking" for the intro? from Mike O'Neill on 2013-10-09 (public-tracking@w3.org from October 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 9 Oct 2013 21:11:06 +0100
To: "'Matthias Schunter $Intel Corporation$'" <mts-std@schunter.org>, <public-tracking@w3.org>
Cc: "'Roy T. Fielding'" <fielding@gbiv.com>, "David Singer" <singer@apple.com>
Message-ID: <007901cec52b$b09a9770$11cfc650$@baycloud.com>

I agree with David Singer that this is unclear. It seems to say retention of
identifiers is OK within one domain origin but that would allow them by
third-party frames and via redirection via other origin hosts. I know we
don't mean that it could be read that way. To make it clear we would then
have to further qualify the definition, maybe later when it is used for
instance in the third-party compliance section. We would have to say data
cannot be retained if referer(sic) headers, URL query parameters,
postMessage events and whatever communicate cross-domain data i.e. that the
identifier is somehow "attributable" to another domain/service.

We could make this clear in the definition by adding some non-normative text
like:

Non-normative.
It follows from this that data such as unique identifiers cannot be retained
by a third-party if they can be associated with another host domain or
service. 

Anyway, in my opinion the cross-domain qualification is already adequately
made elsewhere and putting it here just complicates things, so we should
remove "across multiple parties' domains or services and"  or use Option 3
or 4.

Mike


-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org] 
Sent: 09 October 2013 18:36
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: ISSUE-5: Consensus definition of "tracking" for the intro?

Hi Team,

during our call, it seemed that the group was converging on a consensus for
this definition of tracking (option 5 by Roy):

         Tracking is the collection of data across multiple parties' 
domains or services and retention of that data in a
         form that remains attributable to a specific user, user agent, or
device.

It is our "old" definition - corrected for grammar.

Questions:
  (a) Are there further required improvements that we need to introduce?
  (b) Are there participants that cannot live with this style/type of
definition (assuming we can provide the required final fine-tuning)?

Regards,
matthias

Received on Wednesday, 9 October 2013 20:11:40 UTC