tracking in compliance; navigation referral from Nicholas Doty on 2014-08-20 (public-tracking@w3.org from August 2014)

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 19 Aug 2014 18:43:57 -0700
To: public-tracking@w3.org
Message-Id: <90D03638-A992-47E5-9B2B-59A8368E7BC5@w3.org>

On our last call, I volunteered to help parse out different pieces of Roy's alternative proposal regarding issue-203. Based on that conversation and my thinking since, I see roughly three pieces described below. I have tried to document the different possibilities; we may be able to consolidate them or maybe the group already has consensus for or against one or another.

Thanks,
Nick

## issue-203

This issue (based on a change proposal that came from David Singer) is about how we use "tracking" in the Compliance document. In particular, I think the idea was to complete harmonization with the WG's previous decision on tracking and to narrow or otherwise update the scope to match that defined term. I see three approaches here:

1. Current text: the current editors' draft sets compliance requirements involving collection, retention and subsequent use of non-deidentified data collected by a third party to a given user action, except for data necessary for permitted uses. I believed this to be our previous agreement, and it would still cover "tracking" as defined.

2. dsinger's proposal: we could also narrow existing compliance requirements by using "tracking data" in place of "data". That is, even if a party is a third-party to a given user action and retains or shares non-deidentified data, it isn't tracking (and isn't in scope of this recommendation) if it isn't collecting data across different contexts. I think we'd want to define "tracking data" as something like "data that could be combined with other data to engage in tracking a user across different contexts".

3. fielding's proposal: we could remove the first-party and third-party compliance sections and replace with a set of requirements for what does and does not consititute tracking. See section 3.3 of Roy's Alternative proposal: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203.html#adhering-to-tracking-status
Permitted uses would be moved to a separate high-level section. See section 3.4 of Roy's text: http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203.html#limited-tracking-permitted

In particular, this requires a statement, as in Section 1 of Roy's proposal, to state that these requirements are intended to apply to downstream recipients as well.
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance-i203.html#scope-and-goals

That is, it would likely not be a comfort to users that a particular site is not tracking their activity if that site is passing on the data to another party which aggregates their activity across sites. I don't prefer this alternative in part because it would no longer be the case that data not governed by requirements in the specification is out of scope; in addition to satisfying the definition of "not tracking", to be compliant you would also need to evaluate any downstream uses of your data.

## navigation referral

Of particular note in our conversation was the question of whether keeping navigation referral information (which website you were on when you followed a link to the site you're on now; which might be passed by Referer header or a query parameter) was in scope (tracking) and whether it was permitted. Perhaps it would be appropriate to open a new issue on this topic; while we aren't generally trying to open more issues at this point, it's come up as an important part of resolving issue-203.

I see 3 approaches here:

1. not tracking: add a note that information about how you navigated directly to this particular site is not considered tracking, perhaps because how a user arrives at a site is an understandable part of the context of navigation.

2. tracking, with a permitted use: add a note that information about how you navigated directly to this particular site is considered tracking (because it contains information about the user in multiple contexts) and add a permitted use specifically for the case of first parties to the navigation, perhaps because how a user arrives at a site is an understandable part of the context of navigation.

3. tracking not compliant with the user's preference: add a note that such information is tracking and that a party using this document to indicate compliance with the user's preference MUST NOT retain such data in a non-deidentified form.

We could also be silent on referral information altogether, although our conversations suggest it might be a significant ambiguity and lead to divergent implementations.

I don't think any of us intend for a user's DNT preference to also include explicitly telling one site about links on another site. Example: when I bookmark a page on example.com and store the bookmark at bookmarks.org, is bookmarks.org ignoring my DNT: 1 tracking preference? No.

## editorial suggestions

I've added a link to Roy's alternative proposal to my wiki list of editorial suggestions to address. In particular:
* alternative abstract
* removing definitions present in TPE (replacing with a reference)
* wording of section on indicating compliance

We might also use sections of Roy's text as alternative change proposals for other issues we take up (I believe we have one on the scope section, for example).

Received on Wednesday, 20 August 2014 01:44:06 UTC