- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 10 Oct 2013 17:39:18 -0700
- To: John Simpson <john@consumerwatchdog.org>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <629F702F-C93C-4639-BABD-3F9C831F428B@gbiv.com>
Ah, now I can critique two definitions in one response ... On Oct 10, 2013, at 1:15 PM, John Simpson wrote: > I don't want to rain on your march toward consensus parade, but I have trouble with the " across multiple parties' domains or services" language. Why? > It seems to me Rob's language -- proposal 4 -- has it exactly right, particularly when you include his suggested non-normative text: > >> "Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device. >> Allow me to illustrate why this is false. When you login to your online bank account (certainly an application of data that is associated with you), is the bank tracking you? Is DNT:1 going to turn that off? When you make an online purchase using a credit card for payment, is the shop tracking you? Is DNT:1 going to turn that off? [The credit card company is certain to be tracking you, but is the shop tracking you?] When you physically walk into a 7-11 and the security camera records a video of your presence in the store, to be automatically erased after 24 hours if not needed by law enforcement, is the store tracking you? [Law enforcement could by obtaining the recordings from every camera in the vicinity, but is the store tracking you, and if so, why do we have a meaningful distinction between same-premise cameras and camera networks intended to follow a person's movements?] When a site offers you a sweepstakes entry form in which the data provided is only used to record entries for the duration of the contest, and you decide to provide PII in that form, is the site tracking you? Is everyone on this email list tracking you? You sent us your email address, so according to that definition we all are. When you order pizza over the telephone, provide your address for the sake of the order, and the company discards that data after the delivery, is that tracking you? When you do the same online, is the pizza company tracking you? Is it possible for you to make an HTTP request on the Internet without all recipients being defined as tracking you? If not, then why are we wasting our time? >> "non normative explanation: >> >> Tracking is not exclusively connected to unique ID cookies. >> Right. >> Tracking includes automated real time decisions, >> (I assume that comma is not meant to be there) >> intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. >> No, actually, most of those can be determined by context (i.e., what page you are looking at right now), and thus are not in themselves tracking. Tracking implies a time shift. Tracking can be used to construct profiles, which can do the above *and* be a privacy risk. Context-based analysis does not involve profiles. >> Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques. >> Tracking, as defined above, includes everything on the Internet. > I can live with what's in the the current editors draft: > > Tracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device. Likewise, that says all data use on the Internet is tracking. Let's shorten it in a way that still includes just half of what the above definition defines as tracking: Tracking is the retention of personal data. I claim that the above definition has no relation to our work. There is nothing in the original DNT proposal that would suggest a user's expectations when setting DNT:1 would be that they could only perform anonymous activity on the Internet. In fact, the original proposal only sent DNT when making (what the author believed to be) a request to a third party --- an embedded request to some domain other than that of the primary page. Let's compare that to how DNT implementations are described by the browsers and servers that implement them: http://datatracker.ietf.org/doc/draft-mayer-do-not-track/ This document defines the syntax and semantics of Do Not Track, an HTTP header-based mechanism that enables users to express preferences about third-party web tracking. http://www.mozilla.org/en-US/dnt/ Do Not Track is a feature in Firefox that allows you to let a website know you would like to opt-out of third-party tracking for purposes including behavioral advertising. It does this by transmitting a Do Not Track HTTP header every time your data is requested from the Web. https://twitter.com/privacy If you prefer, you can turn off tailored ads in Twitter account settings so that your account is not matched to information shared by ad partners for tailoring ads. https://en.help.pinterest.com/entries/25010303 If you don’t want Pinterest using stuff you do off Pinterest to personalize your experience, here are some things you can do: Note that the last two are account-based services that retain extensive PII about each account holder, and yet the privacy folks here were quite vocal in their approval of the fact that these sites honor DNT. So, what's it going to be? Are we going to define Do Not Track as described by the people who claim to have implemented it, or are we going to define the entirety of EU Data Protection under a term that is being abused for public fear-mongering? ....Roy
Received on Friday, 11 October 2013 00:39:32 UTC