- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Wed, 24 Aug 2005 22:20:23 -0400 (EDT)
- To: Eric Peterson <eric.peterson@gmail.com>
- cc: www-p3p-policy@w3.org
If the tracking vendor is acting as an agent to the web site and following the definition of agent at http://www.w3.org/TR/P3P/#RECPNT: "An agent in this instance is defined as a third party that processes data only on behalf of the service provider for the completion of the stated purposes. (e.g., the service provider and its printing bureau which prints address labels and does nothing further with the information.)" then there is no problem. Repurposing tracking data in aggregate form is ok as long as it truely is aggregate form. See section 3.3.1: "Service providers often aggregate data they collect. Sometimes this aggregate data may be used for different purposes than the original data, shared more widely than the original data, or retained longer than the original data. For example many sites publish or disclose to their advertisers statistics such as number of visitors to their Web site, percentage of visitors who fit into various demographic groups, etc. When aggregate statistics are used or shared such that it would not be possible to derive data for individual people or households based on these statistics, no disclosures about these statistics are necessary in a P3P policy. However, services MUST disclose the fact that the original data is collected and declare any use that is made of the data before it is aggregated." See for example Scenario 3 in section 2.5 of the spec. Lorrie -- Lorrie Faith Cranor <http://lorrie.cranor.org/> * Associate Research Professor, Computer Science and Engineering & Public Policy Carnegie Mellon University * P3P Specification Working Group Chair <http://www.w3.org/p3p/> * Book: Web Privacy with P3P <http://p3pbook.com/> On Wed, 24 Aug 2005, Eric Peterson wrote: > > Rigo, > > I got your email a few weeks back but have not had a chance to respond > as of yet. I am wondering if you folks have any opinion/information > about the situation where companies are entering into contractual > arrangements with third-parties to manage subdomains on their behalf > for the purpose of tracking using cookies. > > E.g., Apple pays Omniture to create a tracking domain called > metrics.apple.com, having an IP address owned by Omniture, not apple. > > Do you have any insight into how P3P should be constructed in > situations like this? Or, put another way, do you see inherent risk > in companies doing this kind of thing? > > I ask because some of the tracking vendors then take aggregate data > and repurpose that into widely viewable reports (e.g., Coremetrics > LIVEmark, WebSideStory Statmarket, ...) My suspicion is that this is > in conflict with site's stated P3P policy. > > Any insight you have is greatly appreciated. If you'd like to get on > the phone that would be great. > > Thanks in advance, > -- > Eric T. Peterson > Author, Web Analytics Demystified and Web Site Measurement Hacks > Senior Analyst, JupiterResearch > www.webanalyticsdemystified.com > > Have you joined the Metrics Discussion Group? Email > webanalytics-subscribe@yahoogroups.com to join today! > > > >
Received on Thursday, 25 August 2005 02:21:08 UTC