- From: Alan Chapell <achapell@chapellassociates.com>
- Date: Thu, 26 Jun 2014 11:11:48 -0400
- To: "Roy T. Fielding" <fielding@gbiv.com>, Walter van Holst <walter.van.holst@xs4all.nl>
- CC: W3C DNT Working Group Mailing List <public-tracking@w3.org>
That may very well be, Roy. I wasn't at the table at the IETF, but I do note that this working group spent well over a year pretending that DNT wasn't just about 3rd parties. Regardless, the marketplace has changed significantly since the IETF. The ability of first parties to collect and use data has changed to the point where focusing solely on 3rd parties no longer offers the privacy protections that anyone who isn't steeped in this stuff might reasonably expect. In that sense, DNT, as initially conceived and scoped, is attempting to solve a 2014 set of challenges with a 2009 solution. Alan On 6/26/14 7:31 AM, "Roy T. Fielding" <fielding@gbiv.com> wrote: >On Jun 26, 2014, at 12:08 AM, Walter van Holst wrote: > >> On 2014-06-26 03:05, Chris Pedigo wrote: >>> Thank you Walter for pointing out that consumers are not surprised by >>> tracking within a 1st party context. >> >> That is not what I wrote, Chris. I wrote that it is a different problem >>than the problem this group intends to address. >> >> For the record: this group chose long before I joined to give 1st >>parties a blanket exemption. > >No, we did not. Claiming we chose such a thing when it obviously isn't >true is not helpful. > >The original intention of DNT was to apply only to subrequests to third >parties, as stated in the drafts at the IETF long before this working >group >was chartered. After changing that to send the signal on all requests, >in order to inform all parties of the user's preference, it follows that >we will have to make corresponding decisions regarding how DNT will be >interpreted by first parties. > >If we redefined DNT to turn off data collection by first parties in the >same way that it does to third parties, then a user with DNT:1 would >have to provide an exception or consent to almost every site they >intentionally used on the Internet. There is abundant evidence that >such a design doesn't work well for anyone, least of all the users, and >does not solve an identifiable privacy problem. > >So, we identified the privacy problem we are trying to address (tracking >of a user's activity across multiple contexts) and are currently trying >to decide what requirements on first parties are necessary in order to >satisfy DNT:1. We have not given a blanket exemption on tracking by first >parties. Remembering a user from one visit to the next is not tracking. >Data collection is not synonymous with tracking. > >> While I think that is overly broad, I also think that the nature and >>impact of tracking within a single context is by and large of a >>different order of magnitude than that of tracking across different >>contexts. The ability to achieve something on the latter problem >>justifies putting 1st party tracking on a back burner *provided* that >>there aren't loopholes for 3rd parties that also happen to be 1st >>parties at times. > >I think we should focus on what we have actually decided and (not yet) >written in the drafts, rather than assume one extreme opinion or another >based on vague memories of email conversations long ago. > >....Roy >
Received on Thursday, 26 June 2014 15:12:21 UTC