W3C home > Mailing lists > Public > public-tracking@w3.org > July 2014

Re: Data minimization (ISSUE-31)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 16 Jul 2014 08:58:37 -0700
Cc: "public-tracking@w3.org List" <public-tracking@w3.org>
Message-Id: <EF085DCD-36BF-4067-862F-51145FA35E0F@gbiv.com>
To: Justin Brookman <jbrookman@cdt.org>
On Jul 14, 2014, at 12:39 PM, Justin Brookman wrote:

> As discussed on the call last week, Mike O'Neill has withdrawn his change proposal (http://www.w3.org/wiki/Privacy/TPWG/Change_Proposals_on_data_minimization) (he decided the existing text already effectively accomplished what he wanted) so we are slated to close this issue by next week unless anyone proposes other text.
> In the past, I have heard arguments to revise the existing editors' draft language either to make it more stringent or to make it more flexible.  I know some advocates have said that DNT should mean that unique, persistent identifiers can NEVER be collected and set when DNT:1 is on; on the other hand, some in industry have argued that the presumption against unique identifiers unless necessary for a permitted use is too burdensome.
> If anyone wants to provide a suggested amendment to reflect either of these positions, please do so on the mailing list (and add to the wiki if you're feeling particularly ambitious).  If not, we will close the issue and retain the editors' draft language.

I have a problem with the text in this section, but not the WG intent.

I am unclear whether we are now deciding the section as a whole is okay
or that we merely don't need to address ISSUE-199 (the one that Mike's
change was about).  I am fine with closing ISSUE-199 (and ISSUE-31 for
that matter) but the text in these sections still needs a lot of work.

My general problem is that the parent section 3.3.1 is:

3.3.1 General Requirements for Permitted Uses

Some collection and use of data by third parties to a given user action is permitted, notwithstanding receipt of DNT:1 in a network interaction, as enumerated below. Different permitted uses may differ in their permitted items of data collection, retention times, and consequences. In all cases, collection and use of data must be reasonably necessary and proportionate to achieve the purpose for which it is specifically permitted; unreasonable or disproportionate collection, retention, or use are not “permitted uses”.

  Note: The requirements in the following sub-sections apply to a party that collects data for a permitted use and that would otherwise be prohibited from collecting, retaining or using that data under the third-party compliance requirements above. Where a first party to a given user action, for example, collects some data for a purpose listed among the permitted uses (e.g. security of network services), these  requirements do not apply.


First, this is phrased incorrectly as applying to all data collected,
whereas it should be limited to tracking data when DNT:1 is present.
The phrase "notwithstanding receipt of DNT:1 in a network interaction"
means the status of DNT is ignored here, which simply isn't true.
Second, it duplicates the requirements in the subparagraphs.

After that, the subsections below it read as if they apply
to parties in general and to data collection in general, rather
than to third parties only when DNT:1 is received.

I could rewrite each of these on a case by case basis, but I don't
want to do so until we deal with the more pervasive issue of not
using the defined term tracking to specify the requirements.

Received on Wednesday, 16 July 2014 15:59:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:40:11 UTC