Re: ISSUE-5: Consensus definition of "tracking" for the intro?

Ah, now I can critique two definitions in one response ...

On Oct 10, 2013, at 1:15 PM, John Simpson wrote:

> I don't want to rain on your march toward consensus parade, but I have trouble with the " across multiple parties' domains or services" language.

Why?

> It seems to me Rob's language -- proposal 4 -- has it exactly right, particularly when you include his suggested non-normative text:
> 
>> "Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.
>> 

Allow me to illustrate why this is false.

When you login to your online bank account (certainly an application
of data that is associated with you), is the bank tracking you?
Is DNT:1 going to turn that off?

When you make an online purchase using a credit card for payment,
is the shop tracking you?  Is DNT:1 going to turn that off?
[The credit card company is certain to be tracking you, but is
the shop tracking you?]

When you physically walk into a 7-11 and the security camera records
a video of your presence in the store, to be automatically erased after
24 hours if not needed by law enforcement, is the store tracking you?
[Law enforcement could by obtaining the recordings from every camera
in the vicinity, but is the store tracking you, and if so, why do we
have a meaningful distinction between same-premise cameras and
camera networks intended to follow a person's movements?]

When a site offers you a sweepstakes entry form in which the data
provided is only used to record entries for the duration of the
contest, and you decide to provide PII in that form, is the site
tracking you?

Is everyone on this email list tracking you?  You sent us your
email address, so according to that definition we all are.

When you order pizza over the telephone, provide your address
for the sake of the order, and the company discards that data after
the delivery, is that tracking you?  When you do the same online,
is the pizza company tracking you?

Is it possible for you to make an HTTP request on the Internet
without all recipients being defined as tracking you?  If not,
then why are we wasting our time?

>> "non normative explanation:
>> 
>> Tracking is not exclusively connected to unique ID cookies.
>> 
Right.
>> Tracking includes automated real time decisions,
>> 
(I assume that comma is not meant to be there)
>> intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements.
>> 

No, actually, most of those can be determined by context (i.e., what
page you are looking at right now), and thus are not in themselves
tracking.  Tracking implies a time shift.  Tracking can be used to
construct profiles, which can do the above *and* be a privacy risk.
Context-based analysis does not involve profiles.

>> Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques.
>> 

Tracking, as defined above, includes everything on the Internet.

> I can live with what's in the the current editors draft:
> 
> Tracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device.

Likewise, that says all data use on the Internet is tracking.

Let's shorten it in a way that still includes just half of what
the above definition defines as tracking:

  Tracking is the retention of personal data.

I claim that the above definition has no relation to our work.

There is nothing in the original DNT proposal that would suggest
a user's expectations when setting DNT:1 would be that they could
only perform anonymous activity on the Internet.  In fact, the
original proposal only sent DNT when making (what the author believed
to be) a request to a third party --- an embedded request to some
domain other than that of the primary page.

Let's compare that to how DNT implementations are
described by the browsers and servers that implement them:

http://datatracker.ietf.org/doc/draft-mayer-do-not-track/

   This document defines the syntax and semantics of Do Not Track,
   an HTTP header-based mechanism that enables users to express
   preferences about third-party web tracking.

http://www.mozilla.org/en-US/dnt/

   Do Not Track is a feature in Firefox that allows you to let
   a website know you would like to opt-out of third-party tracking
   for purposes including behavioral advertising. It does this by
   transmitting a Do Not Track HTTP header every time your data
   is requested from the Web.

https://twitter.com/privacy

   If you prefer, you can turn off tailored ads in Twitter account
   settings so that your account is not matched to information
   shared by ad partners for tailoring ads.

https://en.help.pinterest.com/entries/25010303

   If you don’t want Pinterest using stuff you do off Pinterest
   to personalize your experience, here are some things you can do:

Note that the last two are account-based services that retain
extensive PII about each account holder, and yet the privacy folks
here were quite vocal in their approval of the fact that these
sites honor DNT.

So, what's it going to be?  Are we going to define Do Not Track
as described by the people who claim to have implemented it, or
are we going to define the entirety of EU Data Protection under
a term that is being abused for public fear-mongering?

....Roy

Received on Friday, 11 October 2013 00:39:32 UTC