- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 11 Oct 2013 14:09:40 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "'John Simpson'" <john@consumerwatchdog.org>, <public-tracking@w3.org>
- Message-Id: <99E4FEAD-A17D-449B-9FEA-B5C3FF16ED2F@gbiv.com>
On Oct 11, 2013, at 3:11 AM, Mike O'Neill wrote: > Roy, > > The examples you give do not constrain tracking consent to the cross-domain situation. The examples I gave demonstrated how the other proposed definitions do not actually define tracking. What they define is retention of personal data. Hence, they far overreach the scope of this WG. > Sure, when you visit a site they may track you, but they don’t have to. If you log in you are giving consent to be identified on subsequent visits (authenticated by a persistent unique id) but you have given consent. This is recognised by the ePrivacy directive as storage “strictly necessary to fulfil a service specifically requested by the user”, and in our standard by the UGE API or letting OOBC override DNT. If you visit your bank with DNT set they could say (and they have to anyway in Europe) “when you click the login button you are giving consent to us storing data in your browser so we can recognise your browser in future visits. This data will be deleted after X days if you do not visit us again within that period.”. There is no requirement for more clicks from the user, just that they be given a simple explanation of what is going on. What you describe are provisions of the ePrivacy directive, not DNT. They have almost nothing to do with the scope of our work other than the fact that *some* mechanisms that perform tracking *do* conflict with the provisions of the ePrivacy directive if prior consent is not obtained. DNT does not change that, in any way, and the bank has to say exactly the same thing regardless of DNT because the bank has no way of verifying that this specific user is the one who set DNT. > If you casually browse a site without specifically identifying yourself by logging in or registering then in my opinion you should be informed before you are tracked. Yes, that's a fine opinion to have, but it doesn't change the fact that a site is not tracking you just because you logged in. It is authenticating you. There is a huge difference between authenticating that a user at one site has access to their own account at that site, and that same authentication data being used to follow the user's activity at other sites. The latter is clearly an issue with federated identity services, and if we don't define tracking correctly then we can't explain why logging in is necessary to preserve privacy in some cases while at the same time tracking based on login is a *potential* violation of privacy. > Your point about CCTV is addressed by the permitted uses and purpose limitation. No, it is not. Permitted uses allow the law enforcement to track a user. There is no need to permit fixed camera observation of private premises because data collection alone is not tracking. The fact that it is collection of personal data and is subject to data protection laws (even in the US) does not change the fact that recording video at a single source, without combining it with any other sources, does not amount to tracking. DNT does not have the same scope as data protection. > The reason this is an issue is the early decision by this group to limit itself to cross-domain tracking, and as I have said this caused more difficulties than it solved (not least the loss of a level playing field). If we can quickly get to a meaningful consensus around the context qualification then I don’t wish to rock the boat but we should not reduce the clarity of the compliance spec by overloading it on to the definition of tracking. No, the reason this is an issue is because many participants in the working group are trying to address all privacy problems, including the entire suite of data protection laws, under the rubric of tracking. We are not chartered to do that. Please stop. This overreach is killing our ability to solve the specific problem that this working group was chartered to address. ....Roy
Received on Friday, 11 October 2013 21:09:48 UTC