Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft)

Mike,
Personal identifiers have never entered the scope of the text despite your repeated attempts here - and the CfO supported that outcome.  We can cover this again as I appreciate how frustrating it can be to have a topic you care about covered while you're not on a call - BUT I will be holding firm from attempts to on-board the concept of device identifiers in the scope of DNT.
- Shane
 Shane Wiley
VP, Privacy & Data Governance
Yahoo
      From: Mike O'Neill <michael.oneill@baycloud.com>
 To: 'Walter van Holst' <walter@vanholst.com>; 'Justin Brookman' <jbrookman@cdt.org>; public-tracking@w3.org 
Cc: vtoubiana@cnil.fr; rob@blaeu.com 
 Sent: Thursday, April 9, 2015 8:21 AM
 Subject: RE: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft)
   
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also for the record:  I strongly object to such late and massive changes being made to the text, especially the de-identification section, which was the result of much consensus building and a formal Call for Objections, and now also to the third-party compliance section  which contained the essence of the document .

Astonishingly, the text no longer contains any reference to personal identifiers which, as I have said - and everybody knows, is the intrinsic mechanism of tracking. The logical structure has also been inverted so there is now an assumption of collection, with compliance defined by explicit conditions for processing. These conditions are opaque and unintelligible to users and implementers. A lawyer could drive a coach and horses through them, letting bodies claim compliance while in fact not changing their behaviour at all.

The most important question any implementer will ask: 

"Can a server executing a DNT request to a third-party resource use a persistent UID cookie, or another method that recognise the user in other interactions over time?"

This document now has no answer to that.

For the first time in years I was 30 minutes late to the 1 hour call, which had finished early by the time I arrived. I therefore ask that the issue be re-addressed next week.


Mike



> -----Original Message-----
> From: Walter van Holst [mailto:walter@vanholst.com]
> Sent: 09 April 2015 13:47
> To: public-tracking@w3.org
> Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors
> draft)
> 
> On 2015-04-08 21:50, Justin Brookman wrote:
> 
> > Walter had previously objected on the mailing list to removing
> > "tracking data" from the non-normative discussion of
> > de-identification.  However, participants on the call today didn't
> > think the removal of the term weakened that provision.
> > De-identification already requires technical processes to ensure that
> > *no one* can re-identify the data; the non-normative language simply
> > notes other prophylactic steps that can be taken to address the
> > persistent possibility of reidentification in the future.
> 
> For the record: I do not object to the removal of  the term "tracking
> data". I specifically provided alternative wordings that would allow for
> its removal while retaining the intent and scope of the text. I have
> always been of the opinion that we can have a good spec without such a
> term, even though it might be helpful for getting there.
> 
> The core of my objection is that in the new text the obligation for
> having "business processes" that preven re-identification could be read
> narrowly and would not prevent sharing de-identified data with a
> non-compliant party for the purpose of that party re-identifying that
> data. All while being able to claim DNT-compliance.
> 
> Regards,
> 
>  Walter
> 
> P.S. in the IRC log I noticed " if I'm embedded in the NYT and remember
> the user's visit to the NYT, that's not by itself tracking, I think.". I
> think that is a clear-cut case of tracking. A DNT-compliant third party
> embedded on the NYT website should basically ignore any information of
> me being on that site (while sending DNT:1) unless necessary for and
> confined to a permitted use, let alone which article. Like Shane
> correctly pointed out, rate-limiting is a permitted use, but that is not
> dependent on me being on the NYT website.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.4.103.5490 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJVJpkPAAoJEHMxUy4uXm2JbLAH/2jxWxuTwhYHH2EmFZUAGQRy
iTTm1GAMwLO17ts7Mozrc4RrA1VzxbNidfun3QpZLKlCdFGP9ujq8V/GQgzvuw3Q
qLXurSuF4rlG6nJlxGC/o+w8DNlNKHHptL8PxACG/AfHH1DF4+fzFt5f89n0xzIl
iEidYY8GJInfOekwOs67+xfo+lipfmE+Pq2VGAPK57k4DbBIy1Va2wzlC99yfQ4f
Cm1pz8iEOKTcA5xdUKoYk06vLqP21Gxu5wCGO9f53JynNSK16U71SQeonevVC4Pg
++UMIM/uBPLXds21xXPL5FWiI3HkUX+G477hxGNwRTVaZGorzK/2inwYF/OAu9s=
=zCW+
-----END PGP SIGNATURE-----



  

Received on Thursday, 9 April 2015 16:22:04 UTC