- From: Walter van Holst <walter@vanholst.com>
- Date: Thu, 09 Apr 2015 14:47:02 +0200
- To: public-tracking@w3.org
On 2015-04-08 21:50, Justin Brookman wrote: > Walter had previously objected on the mailing list to removing > "tracking data" from the non-normative discussion of > de-identification. However, participants on the call today didn't > think the removal of the term weakened that provision. > De-identification already requires technical processes to ensure that > *no one* can re-identify the data; the non-normative language simply > notes other prophylactic steps that can be taken to address the > persistent possibility of reidentification in the future. For the record: I do not object to the removal of the term "tracking data". I specifically provided alternative wordings that would allow for its removal while retaining the intent and scope of the text. I have always been of the opinion that we can have a good spec without such a term, even though it might be helpful for getting there. The core of my objection is that in the new text the obligation for having "business processes" that preven re-identification could be read narrowly and would not prevent sharing de-identified data with a non-compliant party for the purpose of that party re-identifying that data. All while being able to claim DNT-compliance. Regards, Walter P.S. in the IRC log I noticed " if I'm embedded in the NYT and remember the user's visit to the NYT, that's not by itself tracking, I think.". I think that is a clear-cut case of tracking. A DNT-compliant third party embedded on the NYT website should basically ignore any information of me being on that site (while sending DNT:1) unless necessary for and confined to a permitted use, let alone which article. Like Shane correctly pointed out, rate-limiting is a permitted use, but that is not dependent on me being on the NYT website.
Received on Thursday, 9 April 2015 12:47:38 UTC