W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: ISSUE-5: Consensus definition of "tracking" for the intro?

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 11 Oct 2013 11:27:44 +0100
To: "'Vinay Goel'" <vigoel@adobe.com>, "'John Simpson'" <john@consumerwatchdog.org>, "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>
Cc: <public-tracking@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'David Singer'" <singer@apple.com>
Message-ID: <029d01cec66c$87605c90$962115b0$@baycloud.com>
Hi Vinay,


Comments inline:


I respectively object to this proposal.  We are trying to define 'Track'
within Do Not Track so that both a server and a consumer know what Do Not
Track means.  I believe it gets overly difficult for consumers if they
see/read Do Not Track, but the implementations on the backend focus on 'do
not cross-domain track'.


I agree it is hard to build in the context qualification into the definition
of tracking without confusing the user and the implementer.



Also, I object to 'without the user being aware'.  That would suggest that
if a web publisher includes 'this ad is served by Acme' in a spot where the
consumer sees it, then Acme wouldn't be engaged as a 3rd party doing
cross-domain tracking because the user was made aware of it.



Good point. How about contracting it to 'Cross-domain Tracking is a type of
tracking in which data is collected or retained by a party other than the
controller of the site the user had explicitly visited"





From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thursday, October 10, 2013 4:17 PM
To: 'John Simpson' <john@consumerwatchdog.org>, "'Matthias Schunter (Intel
Corporation)'" <mts-std@schunter.org>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>, "'Roy T. Fielding'"
<fielding@gbiv.com>, 'David Singer' <singer@apple.com>
Subject: RE: ISSUE-5: Consensus definition of "tracking" for the intro?
Resent-From: <public-tracking@w3.org>
Resent-Date: Thursday, October 10, 2013 4:17 PM


Hi Roy, Matthias


How about we use option 4 (or a combination of options 3 & 4 with Rob's
non-normative text) for a definition of tracking and then add a derivative
definition of cross-domain tracking that contains the context qualification.


As in:


Cross-domain Tracking is a type of tracking in which data is collected or
retained by a party without the user being aware, i.e. by a party other than
the one in control of the web page the user has explicitly linked to or


Non-Normative Text

This standard is intended to give a user the capability to limit
cross-domain tracking. In some jurisdictions the DNT signal could also be
taken to communicate explicit consent to wider data collection but the
standard does not address that.


The last bit is my attempt at non-normative sugar which might help make the
signal more useful in the EU.




From: John Simpson [mailto:john@consumerwatchdog.org] 
Sent: 10 October 2013 21:32
To: Matthias Schunter (Intel Corporation)
Cc: Mike O'Neill; public-tracking@w3.org; 'Roy T. Fielding'; David Singer
Subject: Re: ISSUE-5: Consensus definition of "tracking" for the intro?


Sorry for typos:

that should be " xxxx his suggested non-normative text:" at end of 1st



On Oct 10, 2013, at 1:15 PM, John Simpson <john@consumerwatchdog.org> wrote:

Hi Matthias,


I don't want to rain on your march toward consensus parade, but I have
trouble with the " across multiple parties' domains or services" language.
It seems to me Rob's language -- proposal 4 -- has it exactly right,
particular;y when you include is suggested uninformative text:


"Tracking is any form of collection, retention, use and/or application of
data that are, or can be, associated with a specific user, user agent, or

"non normative explanation: Tracking is not exclusively connected to unique
ID cookies. Tracking includes automated real time decisions, intended to
analyse or predict the personality or certain personal aspects relating to a
natural person, including the analysis and prediction of the person's
health, economic situation, information on political or philosophical
beliefs , performance at work, leisure, personal preferences or interests,
details and patterns on behavior, detailed location or movements. Tracking
is defined in a technological neutral way and includes e.g. cookie based
tracking technology, active and passive fingerprinting techniques."

I can live with what's in the the current editors draft:


Tracking is the retention or use, after a network interaction is complete,
of data that are, or can be, associated with a specific user, user agent, or






On Oct 10, 2013, at 3:15 AM, Matthias Schunter (Intel Corporation)
<mts-std@schunter.org> wrote:

Hi Mike,

thanks for your feedback!

I have two questions:
- Could you live with the proposed text if we decided not to change it?
- If not, are there specific (hopefully small) text changes that we could
make to allow you to live with this proposal?

Personal remark: While I agree with your points, it is important to note
that we aim for a text that is "good enough" and  does not need to be
I.e., an outcome that introduces tracking in a understandable way while
covering 80% of what we mean would IMHO be good enough even if there are
some corner cases that are not captured 100% accurately.

On 09/10/2013 22:11, Mike O'Neill wrote:

I agree with David Singer that this is unclear. It seems to say retention of
identifiers is OK within one domain origin but that would allow them by
third-party frames and via redirection via other origin hosts. I know we
don't mean that it could be read that way. To make it clear we would then
have to further qualify the definition, maybe later when it is used for
instance in the third-party compliance section. We would have to say data
cannot be retained if referer(sic) headers, URL query parameters,
postMessage events and whatever communicate cross-domain data i.e. that the
identifier is somehow "attributable" to another domain/service.

We could make this clear in the definition by adding some non-normative text

It follows from this that data such as unique identifiers cannot be retained
by a third-party if they can be associated with another host domain or

Anyway, in my opinion the cross-domain qualification is already adequately
made elsewhere and putting it here just complicates things, so we should
remove "across multiple parties' domains or services and"  or use Option 3
or 4.


-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org]
Sent: 09 October 2013 18:36
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: ISSUE-5: Consensus definition of "tracking" for the intro?

Hi Team,

during our call, it seemed that the group was converging on a consensus for
this definition of tracking (option 5 by Roy):

         Tracking is the collection of data across multiple parties'
domains or services and retention of that data in a
         form that remains attributable to a specific user, user agent, or

It is our "old" definition - corrected for grammar.

  (a) Are there further required improvements that we need to introduce?
  (b) Are there participants that cannot live with this style/type of
definition (assuming we can provide the required final fine-tuning)?




Received on Friday, 11 October 2013 10:28:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:40:00 UTC