RE: [TCS] comments on 17 Feb 2015 editors draft

Hash: SHA1

Hi Shane,

I wasn’t “attempting to state a user must be aware of all ‘requests’ to be deemed a user”, just that a user is a conscious person not a sneaky bit of javascript inserted by a tracker. (in my view that is obvious but whatever). I was agreeing with Roy.

On the other point I was talking about the definition of “tracking data” which is defined but has not been been in a CfO. Roy wanted to remove the definition but I pointed out if was used in many places, including the consensus text on de-identification.


From: Shane M Wiley []
Sent: 16 March 2015 16:08
To: Mike O'Neill;
Subject: Re: [TCS] comments on 17 Feb 2015 editors draft

User - I disagree on attempting to state a user must be aware of all "requests" to be deemed a user.  I'm fine with the refined statement but again don't believe this somehow states a user is completely aware of all sub/requests made when navigating the web.

Tracking - I would leave this definition alone as it has already been through the CfO process.

- - Shane

Shane Wiley
VP, Privacy & Data Governance

From: Mike O'Neill <>
Sent: Thursday, March 12, 2015 10:56 AM
Subject: Re: [TCS] comments on 17 Feb 2015 editors draft

As promised, I have distilled my comments down to three issues, one in the Scope and two in the Definitions. The others were covered by Roy, and reading it again I think the UID text is OK.

>1. Scope.

> This recommendation is intended for compliance with expressed user preferences via user agents that (1) can access the general browsable Web; (2) have a user interface that satisfies the requirements in  Determining User Preference in the [TRACKING-DNT] specification; (3) and can implement all of the [TRACKING-DNT] specification, including the mechanisms for communicating a tracking status, and the user-granted exception mechanism.

The use of ‘and can’ implies the user-agents MUST implement the exception API in order to comply, which is counter to the chairs’ decision on issue-151 in which Option C calling for a MUST in the TPE was rejected. The text here would allow servers to ignore DNT from user-agents that were incapable of implementing the API, e.g. they did not support, or the user had disabled, JavaScript execution.

(3) should be changed to remove “all of” and the last phrase “, and the user-granted exception mechanism” should be removed.

> 2. Definitions

> 2.1 User
> A user is an individual human. When user agent software accesses online resources, whether or not the user understands or has specific knowledge of a particular request, that request is "made by the user."

If the user is unaware of a request they cannot be said to have initiated or made it. The definition should just be the same as the one in the TPE (as Roy said):
A user is a natural person who is making, or has made, use of the Web.

> 2.11 Tracking
> Tracking data is any data that could be combined with other data to engage in tracking a user across different contexts.

This definition is important because it is used in de-identification and clarifying examples, so should not be removed. It is not simply "data collected when tracking" because it is referring to data which can be linked to a user agent instance so that further requests from it can be recognised (in other contexts).

It could be better expressed. My suggestion is:

Tracking data is data collected during a network interaction that can be used to recognise the same user during subsequent network interactions in other contexts.


Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.4.19.5391 -
Charset: utf-8


Received on Saturday, 21 March 2015 19:34:27 UTC