- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Fri, 11 Oct 2013 11:27:44 +0100
- To: "'Vinay Goel'" <vigoel@adobe.com>, "'John Simpson'" <john@consumerwatchdog.org>, "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>
- Cc: <public-tracking@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'David Singer'" <singer@apple.com>
- Message-ID: <029d01cec66c$87605c90$962115b0$@baycloud.com>
Hi Vinay, Comments inline: I respectively object to this proposal. We are trying to define 'Track' within Do Not Track so that both a server and a consumer know what Do Not Track means. I believe it gets overly difficult for consumers if they see/read Do Not Track, but the implementations on the backend focus on 'do not cross-domain track'. I agree it is hard to build in the context qualification into the definition of tracking without confusing the user and the implementer. Also, I object to 'without the user being aware'. That would suggest that if a web publisher includes 'this ad is served by Acme' in a spot where the consumer sees it, then Acme wouldn't be engaged as a 3rd party doing cross-domain tracking because the user was made aware of it. Good point. How about contracting it to 'Cross-domain Tracking is a type of tracking in which data is collected or retained by a party other than the controller of the site the user had explicitly visited" Mike From: Mike O'Neill <michael.oneill@baycloud.com> Date: Thursday, October 10, 2013 4:17 PM To: 'John Simpson' <john@consumerwatchdog.org>, "'Matthias Schunter (Intel Corporation)'" <mts-std@schunter.org> Cc: "public-tracking@w3.org" <public-tracking@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, 'David Singer' <singer@apple.com> Subject: RE: ISSUE-5: Consensus definition of "tracking" for the intro? Resent-From: <public-tracking@w3.org> Resent-Date: Thursday, October 10, 2013 4:17 PM Hi Roy, Matthias How about we use option 4 (or a combination of options 3 & 4 with Rob's non-normative text) for a definition of tracking and then add a derivative definition of cross-domain tracking that contains the context qualification. As in: Cross-domain Tracking is a type of tracking in which data is collected or retained by a party without the user being aware, i.e. by a party other than the one in control of the web page the user has explicitly linked to or visited. Non-Normative Text This standard is intended to give a user the capability to limit cross-domain tracking. In some jurisdictions the DNT signal could also be taken to communicate explicit consent to wider data collection but the standard does not address that. The last bit is my attempt at non-normative sugar which might help make the signal more useful in the EU. Mike From: John Simpson [mailto:john@consumerwatchdog.org] Sent: 10 October 2013 21:32 To: Matthias Schunter (Intel Corporation) Cc: Mike O'Neill; public-tracking@w3.org; 'Roy T. Fielding'; David Singer Subject: Re: ISSUE-5: Consensus definition of "tracking" for the intro? Sorry for typos: that should be " xxxx his suggested non-normative text:" at end of 1st graph. John On Oct 10, 2013, at 1:15 PM, John Simpson <john@consumerwatchdog.org> wrote: Hi Matthias, I don't want to rain on your march toward consensus parade, but I have trouble with the " across multiple parties' domains or services" language. It seems to me Rob's language -- proposal 4 -- has it exactly right, particular;y when you include is suggested uninformative text: "Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device. "non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person's health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques." I can live with what's in the the current editors draft: Tracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device. Regards, John On Oct 10, 2013, at 3:15 AM, Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote: Hi Mike, thanks for your feedback! I have two questions: - Could you live with the proposed text if we decided not to change it? - If not, are there specific (hopefully small) text changes that we could make to allow you to live with this proposal? Personal remark: While I agree with your points, it is important to note that we aim for a text that is "good enough" and does not need to be perfect. I.e., an outcome that introduces tracking in a understandable way while covering 80% of what we mean would IMHO be good enough even if there are some corner cases that are not captured 100% accurately. Regards, matthias On 09/10/2013 22:11, Mike O'Neill wrote: I agree with David Singer that this is unclear. It seems to say retention of identifiers is OK within one domain origin but that would allow them by third-party frames and via redirection via other origin hosts. I know we don't mean that it could be read that way. To make it clear we would then have to further qualify the definition, maybe later when it is used for instance in the third-party compliance section. We would have to say data cannot be retained if referer(sic) headers, URL query parameters, postMessage events and whatever communicate cross-domain data i.e. that the identifier is somehow "attributable" to another domain/service. We could make this clear in the definition by adding some non-normative text like: Non-normative. It follows from this that data such as unique identifiers cannot be retained by a third-party if they can be associated with another host domain or service. Anyway, in my opinion the cross-domain qualification is already adequately made elsewhere and putting it here just complicates things, so we should remove "across multiple parties' domains or services and" or use Option 3 or 4. Mike -----Original Message----- From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org] Sent: 09 October 2013 18:36 To: public-tracking@w3.org (public-tracking@w3.org) Subject: ISSUE-5: Consensus definition of "tracking" for the intro? Hi Team, during our call, it seemed that the group was converging on a consensus for this definition of tracking (option 5 by Roy): Tracking is the collection of data across multiple parties' domains or services and retention of that data in a form that remains attributable to a specific user, user agent, or device. It is our "old" definition - corrected for grammar. Questions: (a) Are there further required improvements that we need to introduce? (b) Are there participants that cannot live with this style/type of definition (assuming we can provide the required final fine-tuning)? Regards, matthias
Received on Friday, 11 October 2013 10:28:18 UTC