Justin, the item about personalisation does not belong here and should be removed. Use of derived data is already ruled out by the condition above it. This sentence was originally in the permitted use section and was there to emphasise no secondary use. IMO it does not add clarity to the document and may as well be jettisoned.
Roy, the use of identifiers for load balancing etc. is already out of scope IMO because of the “short-term, transient collection and use” derogation. If you think it is important you could suggest (and I would support) a permitted use for data used solely for network efficiency reasons i.e:
Network efficiency.
Regardless of the tracking preference expressed data MAY be collected, retained and used for the sole purpose of furthering communication network efficiency
Mike
,
From: Roy T. Fielding [mailto:fielding@gbiv.com]
Sent: 09 April 2015 23:12
To: Justin Brookman
Cc: Tracking Protection Working Group
Subject: Re: tracking data (was Re: [TCS] comments on 17 Feb 2015 editors draft)
On Apr 9, 2015, at 1:09 PM, Justin Brookman wrote:
So, to be clear, Section 3.3 would read in full (forgive dodgy formatting):
When a third party to a given user action receives a DNT:1
signal in a related network interaction, that party may collect and use data about those network interactions when:
1. a user has explicitly granted consent, as described below (Section 4. Consent);
2. data is collected for the set of permitted uses described below (Section 3.3.2 Permitted Uses);
3. or, the data is permanently de-identified as defined in this specification (Section 2.9 De-identification [ADD INTERNAL LINK]).
Other than under those enumerated conditions, that party MUST NOT
• collect data from this network interaction that would result in
data regarding this particular user being associated across
multiple distinct contexts;
• retain, use, or share data derived from this particular user's
activity outside the context in which that activity occurred; nor,
• use data about this particular user's activity in other contexts (e.g., to personalize a response to this network interaction)
EXAMPLE 2
An embedded widget provider (a third party to users' interactions with various sites) counts visitors' country of origin and device type but removes identifiers in order to permanently de-identify collected data. For the purposes of this specification, the party is not tracking the user and can create a static site-wide tracking status resource with a tracking status value of N
to indicate that status.
Outside the permitted uses and explicitly-granted exceptions listed below, a third party to a given user action must not collect, share, or associate with related network interactions any identifiers that identify a specific user, user agent, or device. For example, a third party that does not require unique user identifiers for one of the permitted uses must not place a unique identifier in cookies or other browser-based local storage mechanisms.
*************
JB: The rest of third-party compliance would I think not be affected (apart from the replacement of the term "tracking data" with "that data" and "data about that activity" in 3.3.1.3 and Example 4, respectively): http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party-compliance
Hmm, I don't like the way that EXAMPLE hides those later requirements.
Wouldn't it be better above the example, or maybe as a fourth bullet
now that the order has been reversed?
For the record, I don't consider those later requirements to be
implementable. They originated in the June draft, without consensus,
and keep dragging along in spite of the fact that they require a
server to do something it simply cannot do: read the user's mind.
The other requirements are implementable because a server can
determine when it has received data about another context and
exclude that data to avoid tracking. The same is not true about
setting random identifiers in cookies, since those are set by all
sorts of mechanisms that have no awareness of context, such as session
identifiers for load balancing.
....Roy