RE: issue-240 - further non normative text to clarify the definition of data collected "across multiple contexts" from Mike O'Neill on 2014-01-10 (public-tracking@w3.org from January 2014)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 10 Jan 2014 12:55:35 -0000
To: "'Roy T. Fielding'" <fielding@gbiv.com>, <mts-std@schunter.org>
Cc: "'Justin Brookman'" <jbrookman@cdt.org>, "'David Singer'" <singer@apple.com>, <public-tracking@w3.org>
Message-ID: <025f01cf0e03$42dd8be0$c898a3a0$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Roy,

Thanks for your clarification, so would you have a problem with my non-normative text? I think it just reiterates what I think you say here i.e. collecting/using the data is tracking if it is tainted with other-context data.

My point was that by defining tracking in this way i.e. tracking is that which is collected "across multiple distinct contexts" leaves *some* tracking (tracking solely within one context) out of scope of the specification. It follows that the clarity of the definition of context, and what is meant by "across multiple contexts" is crucial for users' and implementers' understanding. Non-normative text should help with that.

I actually do not think it matters too much that the DNT is limited to multiple-context tracking (as long as we are clear on what that means) because there is already a simple mechanism for signalling same-context (aka same origin) consent. I did not like the "multiple-contexts" thing being imported, for one because it may confuse the discourse on same-context tracking, but as we now have it I can live with it if it means we can get the spec to LC quickly.

I also think Matthias's suggestion is a good one, I will reply to that later.

Mike


> -----Original Message-----
> From: Roy T. Fielding [mailto:fielding@gbiv.com]
> Sent: 09 January 2014 22:07
> To: Mike O'Neill
> Cc: 'Justin Brookman'; David Singer; public-tracking@w3.org
> Subject: Re: issue-240 - further non normative text to clarify the definition of
> data collected "across multiple contexts"
> 
> 
> On Jan 8, 2014, at 5:38 PM, Mike O'Neill wrote:
> 
> > As discussed today, here is some non-normative text attempting to clarify the
> issue of data in one context being “tainted” by information collected in another.
> This is important because the definition of tracking now leaves out of scope
> data collected within a single context, i.e. by a data controller responsible for
> either a  first-party or a third-party resource.
> 
> No, it does not leave out any such thing. It says what is tracking,
> regardless of how that tracking occurred.
> 
> “Tracking is the collection of data regarding a particular user's activity across
> multiple distinct contexts and the retention, use, or sharing of data derived from
> that activity outside the context in which it occurred.”
> 
> The problem is how you are misreading the first half and ignoring the second.
> 
>   (Tracking) is
>   the collection of
>   (data regarding a particular user's activity across multiple distinct contexts)
>   and
>   the retention, use, or sharing of
>   (data derived from that activity)
>   outside the context in which it occurred.
> 
> Note that the first half doesn't depend on any notion of when that data
> was collected, nor by whom.  It doesn't matter how many interactions
> might have been collected, nor how they were collected.  As soon as the
> data set contains information tied to a particular user's activity in more
> than one context, it becomes tracking data, and the act of retaining that
> combined data set is tracking because that data set has to be outside the
> context of at least one of those multiple distinct contexts.
> 
> But that's not how you are reading the sentence.  You are assuming it says
> 
>   Tracking is the collection across multiple distinct contexts
>   of data regarding a particular user's activity.
> 
> Those two sentences are not the same.  The definition isn't ambiguous because
> "regarding" always takes precedence.
> 
> Whether or not referral data amounts to tracking depends on how it is
> processed, what is retained, and for how long.
> 
> For example, most shopping sites will associate referral data with a
> user for the length of a session in order to measure (and pay a bounty
> for) conversions upon sale.  It is fair to say that they are tracking
> the user for at least as long as they retain that association tied to
> that particular user.  I suspect most compliance regimes would allow
> that as a permitted use, but it is still tracking the user until that
> association is removed (assuming that the referral data is about some
> other context).
> 
> In contrast, an analytics product might take the referral data, only
> record that a hit was received on page B from site A, and then discard
> the remaining bits.  Since the retained form is not data regarding a
> particular user, saving the mere count is not tracking the user under
> our definition unless the count itself is unique to that user (e.g.,
> the referral site is a personal URI).  That's why analytics software
> often excludes URI components containing query data, or anything that
> looks like UIDs, when retaining or reporting referrals.
> 
> To be clear, the definition only describes what tracking is.  It does
> not describe what tracking is allowed.
> 
> ....Roy
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.2.34.4474 - http://www.gpg4o.de/
Charset: utf-8

iQEcBAEBAgAGBQJSz+3HAAoJEHMxUy4uXm2JrccH/3ByLf3QdZiZUbqckLp4BMC7
n3qU8rgw6hKeynWwy9CDom+xaQEqmSAXiJ53rIGvrRgyJks+h4rC/O0vxcGlIldb
17NCsztX5hoo6lecRjxmjnlOGbFmtwRj1xSKrZQqcGreD3vZNsEkSC25NnqNMv3C
ZO9btoozKk06anKJHZB43HGs9VkAsgJgncGDQNMbwdnV7JaFHicy/ybcK1f/RW3J
XEDzWIAkgPnWCtrzNc3KDyQXh89rfEsnjmm702MhJSyNhmjGvToXfWJ/HGjQjkS4
vLRK0W2lJNmBFFizRQvfSDAq0Juqxo5L8T/KyT7IdE7t9ruyeSfT33DYr7IbP9w=
=ZEhp
-----END PGP SIGNATURE-----
Received on Friday, 10 January 2014 12:56:26 UTC