W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: ISSUE-5: Consensus definition of "tracking" for the intro?

From: Vinay Goel <vigoel@adobe.com>
Date: Thu, 10 Oct 2013 17:41:55 -0700
To: "Mike O'Neill" <michael.oneill@baycloud.com>, "'John Simpson'" <john@consumerwatchdog.org>, "'Matthias Schunter (Intel Corporation)'" <mts-std@schunter.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'David Singer'" <singer@apple.com>
Message-ID: <CE7C964F.5AC1%vigoel@adobe.com>
Hi Mike,

I respectively object to this proposal.  We are trying to define 'Track' within Do Not Track so that both a server and a consumer know what Do Not Track means.  I believe it gets overly difficult for consumers if they see/read Do Not Track, but the implementations on the backend focus on 'do not cross-domain track'.

Also, I object to 'without the user being aware'.  That would suggest that if a web publisher includes 'this ad is served by Acme' in a spot where the consumer sees it, then Acme wouldn't be engaged as a 3rd party doing cross-domain tracking because the user was made aware of it.


From: Mike O'Neill <michael.oneill@baycloud.com<mailto:michael.oneill@baycloud.com>>
Date: Thursday, October 10, 2013 4:17 PM
To: 'John Simpson' <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>>, "'Matthias Schunter (Intel Corporation)'" <mts-std@schunter.org<mailto:mts-std@schunter.org>>
Cc: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>, "'Roy T. Fielding'" <fielding@gbiv.com<mailto:fielding@gbiv.com>>, 'David Singer' <singer@apple.com<mailto:singer@apple.com>>
Subject: RE: ISSUE-5: Consensus definition of "tracking" for the intro?
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Thursday, October 10, 2013 4:17 PM

Hi Roy, Matthias

How about we use option 4 (or a combination of options 3 & 4 with Robís non-normative text) for a definition of tracking and then add a derivative definition of cross-domain tracking that contains the context qualification.

As in:

Cross-domain Tracking is a type of tracking in which data is collected or retained by a party without the user being aware, i.e. by a party other than the one in control of the web page the user has explicitly linked to or visited.

Non-Normative Text
This standard is intended to give a user the capability to limit cross-domain tracking. In some jurisdictions the DNT signal could also be taken to communicate explicit consent to wider data collection but the standard does not address that.

The last bit is my attempt at non-normative sugar which might help make the signal more useful in the EU.


From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: 10 October 2013 21:32
To: Matthias Schunter (Intel Corporation)
Cc: Mike O'Neill; public-tracking@w3.org<mailto:public-tracking@w3.org>; 'Roy T. Fielding'; David Singer
Subject: Re: ISSUE-5: Consensus definition of "tracking" for the intro?

Sorry for typos:
that should be " xxxx his suggested non-normative text:" at end of 1st graph.

On Oct 10, 2013, at 1:15 PM, John Simpson <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>> wrote:

Hi Matthias,

I don't want to rain on your march toward consensus parade, but I have trouble with the " across multiple parties' domains or services" language. It seems to me Rob's language -- proposal 4 -- has it exactly right, particular;y when you include is suggested uninformative text:

"Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.

"non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the personís health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques."
I can live with what's in the the current editors draft:

Tracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device.


On Oct 10, 2013, at 3:15 AM, Matthias Schunter (Intel Corporation) <mts-std@schunter.org<mailto:mts-std@schunter.org>> wrote:

Hi Mike,

thanks for your feedback!

I have two questions:
- Could you live with the proposed text if we decided not to change it?
- If not, are there specific (hopefully small) text changes that we could make to allow you to live with this proposal?

Personal remark: While I agree with your points, it is important to note that we aim for a text that is "good enough" and  does not need to be perfect.
I.e., an outcome that introduces tracking in a understandable way while covering 80% of what we mean would IMHO be good enough even if there are some corner cases that are not captured 100% accurately.

On 09/10/2013 22:11, Mike O'Neill wrote:

I agree with David Singer that this is unclear. It seems to say retention of
identifiers is OK within one domain origin but that would allow them by
third-party frames and via redirection via other origin hosts. I know we
don't mean that it could be read that way. To make it clear we would then
have to further qualify the definition, maybe later when it is used for
instance in the third-party compliance section. We would have to say data
cannot be retained if referer(sic) headers, URL query parameters,
postMessage events and whatever communicate cross-domain data i.e. that the
identifier is somehow "attributable" to another domain/service.

We could make this clear in the definition by adding some non-normative text

It follows from this that data such as unique identifiers cannot be retained
by a third-party if they can be associated with another host domain or

Anyway, in my opinion the cross-domain qualification is already adequately
made elsewhere and putting it here just complicates things, so we should
remove "across multiple parties' domains or services and"  or use Option 3
or 4.


-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org<mailto:std@schunter.org>]
Sent: 09 October 2013 18:36
To: public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: ISSUE-5: Consensus definition of "tracking" for the intro?

Hi Team,

during our call, it seemed that the group was converging on a consensus for
this definition of tracking (option 5 by Roy):

         Tracking is the collection of data across multiple parties'
domains or services and retention of that data in a
         form that remains attributable to a specific user, user agent, or

It is our "old" definition - corrected for grammar.

  (a) Are there further required improvements that we need to introduce?
  (b) Are there participants that cannot live with this style/type of
definition (assuming we can provide the required final fine-tuning)?

Received on Friday, 11 October 2013 00:42:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC