- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 9 Apr 2015 17:59:30 +0100
- To: "'Shane M Wiley'" <wileys@yahoo-inc.com>, "'Walter van Holst'" <walter@vanholst.com>, "'Justin Brookman'" <jbrookman@cdt.org>, <public-tracking@w3.org>
- Cc: <vtoubiana@cnil.fr>, <rob@blaeu.com>
- Message-ID: <174f01d072e6$8cee81f0$a6cb85d0$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shane, They entered the scope, and have been in the actual text, of the document for years, see my email to Justin. Mike From: Shane M Wiley [mailto:wileys@yahoo-inc.com] Sent: 09 April 2015 17:21 To: Mike O'Neill; 'Walter van Holst'; 'Justin Brookman'; public-tracking@w3.org Cc: vtoubiana@cnil.fr; rob@blaeu.com Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft) Mike, Personal identifiers have never entered the scope of the text despite your repeated attempts here - and the CfO supported that outcome. We can cover this again as I appreciate how frustrating it can be to have a topic you care about covered while you're not on a call - BUT I will be holding firm from attempts to on-board the concept of device identifiers in the scope of DNT. - - Shane Shane Wiley VP, Privacy & Data Governance Yahoo From: Mike O'Neill <michael.oneill@baycloud.com> To: 'Walter van Holst' <walter@vanholst.com>; 'Justin Brookman' <jbrookman@cdt.org>; public-tracking@w3.org Cc: vtoubiana@cnil.fr; rob@blaeu.com Sent: Thursday, April 9, 2015 8:21 AM Subject: RE: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft) - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also for the record: I strongly object to such late and massive changes being made to the text, especially the de-identification section, which was the result of much consensus building and a formal Call for Objections, and now also to the third-party compliance section which contained the essence of the document . Astonishingly, the text no longer contains any reference to personal identifiers which, as I have said - and everybody knows, is the intrinsic mechanism of tracking. The logical structure has also been inverted so there is now an assumption of collection, with compliance defined by explicit conditions for processing. These conditions are opaque and unintelligible to users and implementers. A lawyer could drive a coach and horses through them, letting bodies claim compliance while in fact not changing their behaviour at all. The most important question any implementer will ask: "Can a server executing a DNT request to a third-party resource use a persistent UID cookie, or another method that recognise the user in other interactions over time?" This document now has no answer to that. For the first time in years I was 30 minutes late to the 1 hour call, which had finished early by the time I arrived. I therefore ask that the issue be re-addressed next week. Mike > -----Original Message----- > From: Walter van Holst [mailto:walter@vanholst.com] > Sent: 09 April 2015 13:47 > To: public-tracking@w3.org > Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors > draft) > > On 2015-04-08 21:50, Justin Brookman wrote: > > > Walter had previously objected on the mailing list to removing > > "tracking data" from the non-normative discussion of > > de-identification. However, participants on the call today didn't > > think the removal of the term weakened that provision. > > De-identification already requires technical processes to ensure that > > *no one* can re-identify the data; the non-normative language simply > > notes other prophylactic steps that can be taken to address the > > persistent possibility of reidentification in the future. > > For the record: I do not object to the removal of the term "tracking > data". I specifically provided alternative wordings that would allow for > its removal while retaining the intent and scope of the text. I have > always been of the opinion that we can have a good spec without such a > term, even though it might be helpful for getting there. > > The core of my objection is that in the new text the obligation for > having "business processes" that preven re-identification could be read > narrowly and would not prevent sharing de-identified data with a > non-compliant party for the purpose of that party re-identifying that > data. All while being able to claim DNT-compliance. > > Regards, > > Walter > > P.S. in the IRC log I noticed " if I'm embedded in the NYT and remember > the user's visit to the NYT, that's not by itself tracking, I think.". I > think that is a clear-cut case of tracking. A DNT-compliant third party > embedded on the NYT website should basically ignore any information of > me being on that site (while sending DNT:1) unless necessary for and > confined to a permitted use, let alone which article. Like Shane > correctly pointed out, rate-limiting is a permitted use, but that is not > dependent on me being on the NYT website. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.4.103.5490 - http://www.gpg4o.com/ Charset: utf-8 iQEcBAEBAgAGBQJVJpkPAAoJEHMxUy4uXm2JbLAH/2jxWxuTwhYHH2EmFZUAGQRy iTTm1GAMwLO17ts7Mozrc4RrA1VzxbNidfun3QpZLKlCdFGP9ujq8V/GQgzvuw3Q qLXurSuF4rlG6nJlxGC/o+w8DNlNKHHptL8PxACG/AfHH1DF4+fzFt5f89n0xzIl iEidYY8GJInfOekwOs67+xfo+lipfmE+Pq2VGAPK57k4DbBIy1Va2wzlC99yfQ4f Cm1pz8iEOKTcA5xdUKoYk06vLqP21Gxu5wCGO9f53JynNSK16U71SQeonevVC4Pg ++UMIM/uBPLXds21xXPL5FWiI3HkUX+G477hxGNwRTVaZGorzK/2inwYF/OAu9s= =zCW+ - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using gpg4o v3.4.103.5490 - http://www.gpg4o.com/ Charset: utf-8 iQEcBAEBAgAGBQJVJq/xAAoJEHMxUy4uXm2J570H+QFWtH8UgrCCTcjqnzNkZA5w Jx+YPlvgOaxh7zWQZzmTBqDCQwHVHVJYid14CAx3X6Bg0sKODYcRppQti2AIExEk gSSF7LoPNXmaTZoFr1fKMyTcotaBjmvV4n/eAGagxL9RLiieaDUo8WCGZKmRgqic Ln+SleDWQcvlEFfeSXu43G5Bf3QX74bRtq4HM/GGO5lxIJUPkwoXL1iS6BVcKwC0 CQPaDxWgDMymbJvKQ9D9ExcnF5KEKegCGB8w/kHG8Bn9qU+LBjqbvX3Yzk3iUmw9 SsJ1x4BD6zN8LhCMGd495/ApV9mBW9N1RUCUv2GxRi35bues6sWI1jA314rlMXc= =84Kc -----END PGP SIGNATURE-----
Attachments
- text/html attachment: PGPexch.htm
- application/octet-stream attachment: PGPexch.htm.sig
Received on Thursday, 9 April 2015 17:00:18 UTC