RE: ISSUE-5: Consensus definition of "tracking" for the intro? from Mike O'Neill on 2013-10-11 (public-tracking@w3.org from October 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 11 Oct 2013 11:11:59 +0100
To: "'Roy T. Fielding'" <fielding@gbiv.com>, "'John Simpson'" <john@consumerwatchdog.org>
Cc: <public-tracking@w3.org>
Message-ID: <027101cec66a$53efcaa0$fbcf5fe0$@baycloud.com>
Roy,

 

The examples you give do not constrain tracking consent to the cross-domain
situation. Sure, when you visit a site they may track you, but they don't
have to. If you log in you are giving consent to be identified on subsequent
visits (authenticated by a persistent unique id) but you have given consent.
This is recognised by the ePrivacy directive as storage "strictly necessary
to fulfil a service specifically requested by the user", and in our standard
by the UGE API or letting OOBC override DNT. If you visit your bank with DNT
set they could say (and they have to anyway in Europe) "when you click the
login button you are giving consent to us storing data in your browser so we
can recognise your browser in future visits. This data will be deleted after
X days if you do not visit us again within that period.". There is no
requirement for more clicks from the user, just that they be given a simple
explanation of what is going on. If you casually browse a site without
specifically identifying yourself by logging in or registering then in my
opinion you should be informed before you are tracked.

 

Your point about CCTV is addressed by the permitted uses and purpose
limitation. 

 

The reason this is an issue is the early decision by this group to limit
itself to cross-domain tracking, and as I have said this caused more
difficulties than it solved (not least the loss of a level playing field).
If we can quickly get to a meaningful consensus around the context
qualification then I don't wish to rock the boat but we should not reduce
the clarity of the compliance spec by overloading it on to the definition of
tracking.

 

Mike

 

 

From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 11 October 2013 01:39
To: John Simpson
Cc: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: ISSUE-5: Consensus definition of "tracking" for the intro?

 

Ah, now I can critique two definitions in one response ...

 

On Oct 10, 2013, at 1:15 PM, John Simpson wrote:





I don't want to rain on your march toward consensus parade, but I have
trouble with the " across multiple parties' domains or services" language.

 

Why?





It seems to me Rob's language -- proposal 4 -- has it exactly right,
particularly when you include his suggested non-normative text:

 

"Tracking is any form of collection, retention, use and/or application of
data that are, or can be, associated with a specific user, user agent, or
device. 

 

Allow me to illustrate why this is false.

 

When you login to your online bank account (certainly an application

of data that is associated with you), is the bank tracking you?

Is DNT:1 going to turn that off?

 

When you make an online purchase using a credit card for payment,

is the shop tracking you?  Is DNT:1 going to turn that off?

[The credit card company is certain to be tracking you, but is

the shop tracking you?]

 

When you physically walk into a 7-11 and the security camera records

a video of your presence in the store, to be automatically erased after

24 hours if not needed by law enforcement, is the store tracking you?

[Law enforcement could by obtaining the recordings from every camera

in the vicinity, but is the store tracking you, and if so, why do we

have a meaningful distinction between same-premise cameras and

camera networks intended to follow a person's movements?]

 

When a site offers you a sweepstakes entry form in which the data

provided is only used to record entries for the duration of the

contest, and you decide to provide PII in that form, is the site

tracking you?

 

Is everyone on this email list tracking you?  You sent us your

email address, so according to that definition we all are.

 

When you order pizza over the telephone, provide your address

for the sake of the order, and the company discards that data after

the delivery, is that tracking you?  When you do the same online,

is the pizza company tracking you?

 

Is it possible for you to make an HTTP request on the Internet

without all recipients being defined as tracking you?  If not,

then why are we wasting our time?

 

"non normative explanation:

Tracking is not exclusively connected to unique ID cookies.

Right.



Tracking includes automated real time decisions,

(I assume that comma is not meant to be there)



intended to analyse or predict the personality or certain personal aspects
relating to a natural person, including the analysis and prediction of the
person's health, economic situation, information on political or
philosophical beliefs , performance at work, leisure, personal preferences
or interests, details and patterns on behavior, detailed location or
movements.

 

No, actually, most of those can be determined by context (i.e., what

page you are looking at right now), and thus are not in themselves

tracking.  Tracking implies a time shift.  Tracking can be used to

construct profiles, which can do the above *and* be a privacy risk.

Context-based analysis does not involve profiles.

 

Tracking is defined in a technological neutral way and includes e.g. cookie
based tracking technology, active and passive fingerprinting techniques.

 

Tracking, as defined above, includes everything on the Internet.





I can live with what's in the the current editors draft:

 

Tracking is the retention or use, after a network interaction is complete,
of data that are, or can be, associated with a specific user, user agent, or
device.

 

Likewise, that says all data use on the Internet is tracking.

 

Let's shorten it in a way that still includes just half of what

the above definition defines as tracking:

 

  Tracking is the retention of personal data.

 

I claim that the above definition has no relation to our work.

 

There is nothing in the original DNT proposal that would suggest

a user's expectations when setting DNT:1 would be that they could

only perform anonymous activity on the Internet.  In fact, the

original proposal only sent DNT when making (what the author believed

to be) a request to a third party --- an embedded request to some

domain other than that of the primary page.

 

Let's compare that to how DNT implementations are

described by the browsers and servers that implement them:

 

http://datatracker.ietf.org/doc/draft-mayer-do-not-track/

 

   This document defines the syntax and semantics of Do Not Track,

   an HTTP header-based mechanism that enables users to express

   preferences about third-party web tracking.

 

http://www.mozilla.org/en-US/dnt/

 

   Do Not Track is a feature in Firefox that allows you to let

   a website know you would like to opt-out of third-party tracking

   for purposes including behavioral advertising. It does this by

   transmitting a Do Not Track HTTP header every time your data

   is requested from the Web.

 

https://twitter.com/privacy

 

   If you prefer, you can turn off tailored ads in Twitter account

   settings so that your account is not matched to information

   shared by ad partners for tailoring ads.

 

https://en.help.pinterest.com/entries/25010303

 

   If you don't want Pinterest using stuff you do off Pinterest

   to personalize your experience, here are some things you can do:

 

Note that the last two are account-based services that retain

extensive PII about each account holder, and yet the privacy folks

here were quite vocal in their approval of the fact that these

sites honor DNT.

 

So, what's it going to be?  Are we going to define Do Not Track

as described by the people who claim to have implemented it, or

are we going to define the entirety of EU Data Protection under

a term that is being abused for public fear-mongering?

 

....Roy
Received on Friday, 11 October 2013 10:12:41 UTC