Re: ISSUE-203: use of tracking in Compliance

On Jun 11, 2014, at 1:07 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:

> On the call, I was wondering why we seem to be repeating the same concerns
> that should have been resolved when we defined tracking for TPE.
> Well, I guess one reason might be that the current draft TCS does not
> actually use the definition of tracking in a normative way.
> David Singer raised an issue about that in ISSUE-203, and I completely
> forgot that it hasn't been fixed yet.
> 
> Perhaps the chairs could drive that to completion before we continue
> with the other unresolved issues?  I think it will cut the amount of
> text we have in half, and similarly simplify the change proposals.
> 
> .Roy
> 

I'm not sure I understand why this would limit our other issues.  Right now, we say "Don't collect/use/retain info related to this network interaction outside of permitted uses."  If we just change that to (or add)  "Don't use tracking information outside of permitted uses" I'm not sure that solves or limits the other issues.  You still have the same question as to what the permitted uses are, and what data minimization efforts you need to use for those permitted uses.  Both "Don't collect/use/retain" and "Don't track" are pretty absolute; TCS (or another compliance regime) is supposed to carve out the scope of what limited collection and use is appropriate.

Whether third parties can use unique/persistent identifiers despite a DNT signal has been one of the most contentious issues in this group from Day One.  Under TPE, if you retain ANY cross-site data (whether you use unique IDs or not), you're supposed to send back T (maybe tracking) and link to a compliance regime.  It's up to the compliance regime to set the parameters for what the limits are, yes?

Received on Wednesday, 11 June 2014 17:32:35 UTC