- From: Nick Doty <npdoty@w3.org>
- Date: Mon, 16 Mar 2015 15:08:27 -0700
- To: "fielding@gbiv.com" <fielding@gbiv.com>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>
- Message-Id: <B1987062-2547-488A-9808-FE3A6302BA55@w3.org>
Responses to some of the comments on this thread are included inline below. I've committed the corresponding changes in revision 1.141: http://www.w3.org/mid/E1YXdAG-0003D8-TT@gil.w3.org More edits and responses to follow. Thanks, Nick >> 1. Scope >> >> Do Not Track is designed to provide users with a simple mechanism to >> express a preference to allow or limit online tracking. Complying with the >> user's preference as described in this document includes limits on the >> collection, retention and use of data collected as a third party to user >> actions. > > It also limits sharing of data collected as a first party. I interpret this as a comment that our scope section could be more informative by discussing sharing limitations, including on data collected as a first party to a user action. I've updated to note that and include a mention of permanent de-identification, since that concept is also important to understanding compliance as described here. >>> Do Not Track is designed to provide users with a simple mechanism to express a preference to allow or limit online tracking. Complying with the user's preference as described in this document includes limits on the collection, retention and use of data collected as a third party to user actions and the sharing of data not permanently deidentified. >> This recommendation is intended for compliance with expressed user >> preferences via user agents that (1) can access the general browsable Web; >> (2) have a user interface that satisfies the requirements in Determining >> User Preference in the [TRACKING-DNT] specification; (3) and can implement >> all of the [TRACKING-DNT] specification, including the mechanisms for >> communicating a tracking status, and the user-granted exception mechanism. > > s/; (3) and can /; and, (3) can / Fixed, thanks. >> Issue 209: Description of scope of specification >> >> 2. Definitions >> >> 2.1 User >> >> A user is an individual human. When user agent software accesses online >> resources, whether or not the user understands or has specific knowledge >> of a particular request, that request is "made by the user." > > Note that this differs from the definition in TPE. There are separate emails on this topic, so I may need to reply on a separate thread as well. However, I think this was pointed out to us by Chris Mejia on a much earlier draft and we realized that the additional "made by the user" language (and differences from TPE) weren't actually used. I'll double-check, but I do think we can remove that extra piece and use the same text as in TPE. >> 2.5 Subrequest >> >> A subrequest is any network interaction that is not directly initiated by >> user action. For example, an initial response in a hypermedia format that >> contains embedded references to stylesheets, images, frame sources, and >> onload actions will cause a browser, depending on its capabilities and >> configuration, to perform a corresponding set of automated subrequests to >> fetch those references using additional network interactions. > > The term subrequest was removed from TPE because we didn't need it. > It is only used in this specification once -- in 2.8, where it can be > deleted without any change of meaning (see below). Yes, always great to remove definitions we've found we don't need. >> 2.12 Collect, Use, Share, Facilitate >> >> A party collects data received in a network interaction if that data >> remains within the party's control after the network interaction is >> complete. >> >> A party uses data if the party processes the data for any purpose other >> than storage or merely forwarding it to another party. >> >> A party shares data if it transfers or provides a copy of data to any >> other party. >> >> A party facilitates any other party's collection of data if it enables >> such party to collect data and engage in tracking. > > We don't use facilitate, so its definition should now be removed. Great, removed, thanks. >> 3. Server Compliance >> >> It is outside the scope of this specification to control short-term, >> transient collection and use of data, so long as the data is not shared >> with a third party and is not used to build a profile about a user or >> otherwise alter an individual user's user experience outside the current >> network interaction. For example, the contextual customization of ads >> shown as part of the same network interaction is not restricted by a DNT:1 >> signal. >> >> Issue 134: Would we additionally permit logs that are retained for a short >> enough period? > > The above paragraph seems to be disconnected. I think it belongs in > section 1 (Scope). This paragraph was moved to the beginning of the compliance sections, per your request in ISSUE-218: http://www.w3.org/2011/tracking-protection/track/issues/218 I believe the reasoning was to make clear at the beginning of the sections describing how servers can comply with a user's DNT:1 preference that some types of data are out of scope, regardless of whether a server is a first party or third party to a given user action. We could lengthen the 1. Scope section -- which would also apply broadly -- but making that section longer and more detailed also makes it harder to read as an overview. >> 7. Legal Compliance >> >> Notwithstanding anything in this recommendation, a party MAY collect, use, >> and share data required to comply with applicable laws, regulations, and >> judicial processes. > > I still think this section is silly, but *shrug* ... Normally, I would > expect such a party to be non-compliant due to powers that be, rather > than compliant by escape clause. I believe I am also in the *shrug* category on this particular point, but I believe we settled on this language because some people in the Working Group found it important and some people in the Working Group didn't care.
Received on Monday, 16 March 2015 22:08:44 UTC