RE: June Change Proposal: Definition of Tracking (ISSUE-5)

I agree with Jonathan here. It is important for clarity that collection is included in the definition of tracking. The essence of the “DAA proposal” is that data can still be collected, and user ids etc. deployed, when DNT is set. The only limitation on the receiving servers would be to refrain from presenting targeted ads and to ensure non-affiliates that somehow got hold of the retained data (though not the raw data through data stream cloning) would find it difficult to re-identify. 

 

Unless the purpose is for a specific permitted purpose DNT should mean no collection (with maybe non-normative text describing this as active collection beyond immediate transport and sub-layer headers).

 

From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
Sent: 07 July 2013 21:48
To: David Singer
Cc: public-tracking@w3.org Group WG
Subject: Re: June Change Proposal: Definition of Tracking (ISSUE-5)

 

Perhaps a concrete example would help clarify: Suppose a third-party website starts tagging browsers with ID cookies for no particular reason.  I think that should be covered, even if the website quickly discards the data.

 

A parallel in the recent NSA coverage may also be instructive.  The NSA has argued that it does not "collect" information when it is swept into a dragnet.  Some observers have criticized this perspective, noting that privacy risks arise from data being made available to the NSA, independent of how it is retained or used.

 

Jonathan

 

On Monday, July 1, 2013 at 9:46 AM, David Singer wrote:

 

On Jun 27, 2013, at 20:17 , Jonathan Mayer <jmayer@stanford.edu> wrote:

 

David,

 

This definition is trying to get at two issues. First, privacy risks flow from the very collection of certain information (e.g. linkable non-protocol information). Second, the standard should prohibit certain collection practices. Much like the June Draft usage of the term "tracking," the intent here is to reflect the aims and sweep of the compliance document. Other sections of text provide detail, including that protocol information can be used.

 

I am still not getting what you mean by 'collect' that is different from 'retain'.

 

Example (we worked with this before): 'collect' means actively gathering information that is additional to that found in the protocol exchange. Examples would be looking up a geographic location (using IP address), or looking the user up in some database held by another party (distinguishing this collected data from data already known by the party).

 

We already seem to be working towards 'retain' as holding information after the transaction is over.

 

 

 

Best,

Jonathan

On Thursday, June 27, 2013 at 6:49 PM, David Singer wrote:

 

Can you tell us what you mean by 'collect' (that distinguishes it from 'retain', and that allows use of in-transaction data for satisfying the transaction)?

 

 

On Jun 26, 2013, at 5:57 , Jonathan Mayer <jmayer@stanford.edu> wrote:

 

I would propose that we not define "tracking" within the TCS document.

 

In the alternative, if the group elects to proceed with a definition, I would propose this small change:

Tracking is the collection, retention, or use of data records that are, or can be, associated with a specific user, user agent, or device.

 

This definition encompasses collection of information, unlike the June Draft text.

 

David Singer

Multimedia and Software Standards, Apple Inc.

 

David Singer

Multimedia and Software Standards, Apple Inc.