W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: ISSUE-5: Consensus definition of "tracking" for the intro?

From: David Singer <singer@apple.com>
Date: Fri, 11 Oct 2013 17:21:58 -0700
Cc: John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-id: <C6B40DB2-87BD-432A-AF8D-3188099BB4C1@apple.com>
To: "Roy T. Fielding" <fielding@gbiv.com>

On Oct 10, 2013, at 17:39 , Roy T. Fielding <fielding@gbiv.com> wrote:

> Ah, now I can critique two definitions in one response ...
> On Oct 10, 2013, at 1:15 PM, John Simpson wrote:
>> I don't want to rain on your march toward consensus parade, but I have trouble with the " across multiple parties' domains or services" language.
> Why?
>> It seems to me Rob's language -- proposal 4 -- has it exactly right, particularly when you include his suggested non-normative text:
>>> "Tracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.
> Allow me to illustrate why this is false.
> When you login to your online bank account (certainly an application
> of data that is associated with you), is the bank tracking you?
> Is DNT:1 going to turn that off?

Yes, under some definitions they are:  if they (as likely) keep records, they are remembering data about you.  But they are a first party, so they get a big carve-out.

> Tracking, as defined above, includes everything on the Internet.

No, there are plenty of services that don't keep personal info.  DuckDuckGo is the most famous example.

>> I can live with what's in the the current editors draft:
>> Tracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device.
> Likewise, that says all data use on the Internet is tracking.

No, it omits (a) data used to service transactions (within the interaction) and (b) data not associated with a specific user etc.  That's a lot of data.

> I claim that the above definition has no relation to our work.
> There is nothing in the original DNT proposal that would suggest
> a user's expectations when setting DNT:1 would be that they could
> only perform anonymous activity on the Internet.  

No, they are anonymous *to the organizations that they didn't choose to interact with, and for the most part are unaware of*.  We *have* a first-party carve-out, long-since agreed.  But even the first party has some restrictions on what it does with 'tracking data' (like, not sharing it around).

As I said in the 'tunnel-vision' approach, if it had been adopted, it would have meant that the distinction between first and third parties might not have been needed at all, as indeed most first parties only want to remember your interaction with them, and if that's not 'tracking', they don't need a special carve-out.  But this approach did not get support;  I am not sure why.  I suspect it was too rigorous for the industry, and too permissive for the privacy people.

> So, what's it going to be?  Are we going to define Do Not Track
> as described by the people who claim to have implemented it, or
> are we going to define the entirety of EU Data Protection under
> a term that is being abused for public fear-mongering?

Please don't set up false dichotomies.  

Having said that, I just posted something which is, I hope a synthesis of what's on the CP list, and is closer to what you wrote than this suggestion.  It's much closer to tunnel-vision than "don't remember stuff about me" (unless you are a first party). 

Let's see if we can find a reasonable middle ground here.

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Saturday, 12 October 2013 00:22:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC