Begin forwarded message:

Resent-From: public-tracking-commit@w3.org
From: "CVS User npdoty" <cvsmail@w3.org>
Subject: CVS WWW/2011/tracking-protection/drafts
Date: September 28, 2013 3:30:05 PM PDT
To: public-tracking-commit@w3.org
Archived-At: <http://www.w3.org/mid/E1VQ31Z-0004bj-TE@gil.w3.org>

Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv17711

Modified Files:
tracking-compliance.html
Log Message:
through much of the backlog of editorial changes for Compliance doc

--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/09/19 21:49:08 1.102
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-compliance.html 2013/09/28 22:30:05 1.103
@@ -170,10 +170,10 @@
      linked to, a particular consumer, computer, or other device;
</li>
<li>
- commits to try not to reidentify the data; and
+ commits to make no attempt to re-identify the data; and
</li>
<li>
- contractually prohibits downstream recipients from trying to
+ contractually prohibits downstream recipients from attempting to
          re-identify the data.
</li>
</ol>
@@ -185,7 +185,7 @@
<h3>Tracking</h3>
<p>
<dfn>Tracking</dfn> is the retention or use, after a network
-         interaction is complete, of data records that are, or can be,
+         interaction is complete, of data that are, or can be,
         associated with a specific user, user agent, or device.
</p>
<p class="issue" data-number="5" title="What is the definition of tracking?"></p>
@@ -194,7 +194,7 @@
<section id="collection">
<h3>Collect, Retain, Use, Share</h3>
        <p id="def-collection">
- A party <dfn>collects</dfn> data if it receives the data and shares
+ A party <dfn>collects</dfn> data if it receives the data and either shares
          the data with other parties or stores the data for more than a
          transient period.
</p>
@@ -204,7 +204,7 @@
</p>
        <p>
A party <dfn>uses</dfn> data if the party processes the data for any
-          purpose other than storage or merely forwarding it to another party.
+          purpose other than either storage or merely forwarding it to another party.
</p>
        <p>
A party <dfn>shares</dfn> data if the party enables another party to
@@ -212,12 +212,18 @@
</p>
<p class="issue" data-number="16" title="What does it mean to collect data? (caching, logging, storage, retention, accumulation, profile etc.)"></p>
</section>
+ <section id="graduated-response">
+ <h3>Graduated Response</h3>
+ <p>
+ A <dfn>graduated response</dfn> a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or transaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to transactions from that specific range of IP addresses as opposed to increased logging for all users in general.
+ </p>
+ </section>
</section> <!-- end definitions -->
<section id="user-agent-compliance">
    <h3>User Agent Compliance</h3>
      <p class="issue" data-number="205" title="user agent compliance requirements; connections to TPE"></p>
<p>
- A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT: 1. A user agent MAY offer a third alternative choice: DNT: 0.
+ A user agent MUST offer users a minimum of two alternative choices for a Do Not Track general preference: unset or DNT: 1. A user agent MAY offer a third alternative choice: DNT: 0.
</p>
<p>
If the user's choice is DNT:1 or DNT:0, the tracking preference is <dfn>enabled</dfn>; otherwise, the tracking preference is <dfn>not enabled</dfn>.
@@ -239,7 +245,7 @@
when DNT is enabled, some data may still be collected and used for certain purposes, and a description of such purposes; and
</li>
<li>
- if a user affirmatively allows a particular party to collect and use information about web viewing activities, enabling DNT will not limit collection and use from that party.
+ if a user affirmatively allows a particular party to collect and use data about web viewing activities, enabling DNT will not limit collection and use from that party.
</li>
</ol>
<p>
@@ -256,16 +262,16 @@
    <h3>First Party Compliance</h3>
    <p>
      If a first party receives a DNT:1 signal the first party MAY engage in its normal collection and
-      use of information. This includes the ability to customize the content,
+      use of data. This includes the ability to customize the content,
      services, and advertising in the context of the first party experience.
    </p>
    <p>
-      The first party MUST NOT pass information about this network interaction to
+      The first party MUST NOT share data about this network interaction with
      third parties who could not collect the data
-      themselves under this standard. Information about the transaction MAY be passed on to service providers acting on behalf of the first party
+      themselves under this recommendation. Data about the transaction MAY be shared with service providers acting on behalf of the first party.
    </p>
<p>
- First parties MAY elect to follow third party practices.
+ A first party MAY elect to follow the rules defined here for third parties.
</p>
<p class="issue" data-number="170" title="Definition of and what/whether limitations around data append and first parties"></p>
</section>
@@ -276,23 +282,21 @@
      If a third party receives a DNT: 1 signal, then:
    </p>
    <ol start="1">
-      <li>the third party MUST NOT collect, retain, share, or use information
+      <li>the third party MUST NOT collect, retain, share, or use data
      related to the network interaction as part of which it received the DNT:
-      1 signal outside of the permitted uses as defined within this standard
+      1 signal outside of the permitted uses as defined within this recommendation
      and any explicitly-granted exceptions provided in accordance with the
-      requirements of this standard;</li>
+      requirements of this recommendation;</li>

-      <li>the third party MUST NOT use information about previous network
+      <li>the third party MUST NOT use data about previous network
      interactions in which it was a third party, outside of the permitted
-      uses as defined within this standard and any explicitly-granted
+      uses as defined within this recommendation and any explicitly-granted
      exceptions, provided in accordance with the requirements of this
-      standard.</li>
+      recommendation.</li>
    </ol>
<p>
The third party MAY nevertheless collect, use, and retain such
-      information for the set of permitted uses described below. Further,
-      parties MAY collect, use, and retain such information in order to comply
-      with applicable laws, regulations, and judicial processes.
+      data for the set of permitted uses described below.
</p>
<p>
Outside the permitted uses listed below, the third party MUST NOT
@@ -315,8 +319,8 @@
</p>
<p>
It is outside the scope of this specification to control short-term,
-      transient collection and use of data, so long as the information is not
-      transmitted to a third party and is not used to build a profile about a
+      transient collection and use of data, so long as the data is not
+      shared with a third party and is not used to build a profile about a
      user or otherwise alter an individual userís user experience outside the
      current network interaction. For example, the contextual customization
      of ads shown as part of the same network interaction is not restricted
@@ -412,7 +416,7 @@
      <section id="frequency-capping">
      <h4>Frequency Capping</h4>
<p>
- Regardless of DNT signal, information MAY be collected, retained and used to limit
+ Regardless of DNT signal, data MAY be collected, retained and used to limit
the number of times that a user sees a particular advertisement, often called
<dfn>frequency capping</dfn>, as long as the data retained do not reveal the userís
browsing history. Parties MUST NOT construct profiles of users or user behaviors based
@@ -422,7 +426,7 @@
<section id="financial-logging">
<h4>Financial Logging</h4>
<p>
- Regardless of DNT signal, information MAY be collected, retained and used for
+ Regardless of DNT signal, data MAY be collected, retained and used for
<dfn>billing and auditing</dfn> related to the current network interaction and
concurrent transactions. This may include counting ad impressions to unique visitors,
verifying positioning and quality of ad impressions and auditing compliance with this
@@ -436,16 +440,20 @@
fraudulent or malicious activity</dfn>, parties MAY collect, retain, and use data regardless
of a DNT signal. This includes data reasonably necessary for enabling authentication/verification,
detecting hostile and invalid transactions and attacks, providing fraud prevention, and maintaining
- system integrity. In the context of this specific permitted use, this information MAY be used to
+ system integrity. In the context of this specific permitted use, this data MAY be used to
alter the user's experience in order to reasonably keep a service secure or prevent fraud.
</p>
<p class="issue" data-number="24" title="Possible exemption for fraud detection and defense"></p>
+   <section id="security-graduated" class="informative">
+   <h4>Graduated Responses for Security</h4>
+   When feasible, a <a>graduated response</a> to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of user agent string and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.
+   </section>
</section>

<section id="debugging">
<h4>Debugging</h4>
<p>
- Regardless of DNT signal, information MAY be collected, retained and used for
+ Regardless of DNT signal, data MAY be collected, retained and used for
<dfn>debugging purposes</dfn> to identify and repair errors that impair existing intended
functionality.
</p>
@@ -470,14 +478,14 @@
      from requests received with DNT: 0.
    </p>
    <p>
-      The operator of a website may engage in practices otherwise proscribed
-      by this standard if the user has given explicit and informed consent.
+      A party may engage in practices otherwise proscribed
+      by this recommendation if the user has given explicit and informed consent.
      This consent may be obtained through the API defined in the
-      companion [[!TRACKING-DNT]] document, or an operator of a website may
+      companion [[!TRACKING-DNT]] document, or a party may
      also obtain <dfn>out of band</dfn> consent to disregard a Do Not Track
-      preference using a different technology. If an operator is relying on
+      preference using a different technology. If a party is relying on
      out of band consent to disregard a Do Not Track preference, the
-      operator must indicate this consent to the user agent as described in
+      party must indicate this consent to the user agent as described in
      the companion [[!TRACKING-DNT]] document.
    </p>
</section>
@@ -510,10 +518,16 @@
<section>
<h3>Unknowing Collection</h3>
<p>
- If a party learns that it possesses information in violation of this standard, it MUST, where reasonably feasible, delete or de-identify that information at the earliest practical opportunity, even if it was previously unaware of such information practices despite reasonable efforts to understand its information practices.
+ If a party learns that it possesses data in violation of this recommendation, it MUST, where reasonably feasible, delete or de-identify that data at the earliest practical opportunity, even if it was previously unaware of such information practices despite reasonable efforts to understand its information practices.
</p>
<p class="issue" data-number="208" title="Requirements on unknowing collection, retention and use"></p>
</section>
+ <section>
+  <h3>Legal Compliance</h3>
+  <p>
+    Notwithstanding anything in this recommendation, parties may collect, use, share, and retain data required to comply with applicable laws, regulations, and judicial processes.
+  </p>
+ </section>
  <section id="acknowledgements" class='appendix'>
    <h1>Acknowledgements</h1>
    <p>