RE: Proposals for Compliance issue clean up from Mike O'Neill on 2012-11-12 (public-tracking@w3.org from November 2012)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 12 Nov 2012 20:15:45 -0000
To: "'Alan Chapell'" <achapell@chapellassociates.com>
Cc: <public-tracking@w3.org>
Message-ID: <038701cdc112$804155f0$80c401d0$@baycloud.com>
Hi Alan,

 

I have no problem (in the DNT case) with reasonable commercial purposes like frequency capping, click fraud detection etc., as long as minimum entropy UUID were only around for a short period (hours rather than months), not be recreated or cloned etc. and solely used for those purposes. What most people don’t want is their web history gathered without their consent, and that needs persistent or constantly recreated UUIDs. If they were confident their non-consent would be strictly honoured, and consent could be easily revoked, then I’m sure ultimately most people would not have a problem with OBA.

 

Mike

 

 

 

 

From: Alan Chapell [mailto:achapell@chapellassociates.com] 
Sent: 12 November 2012 14:54
To: Mike O'Neill; public-tracking@w3.org
Cc: ifette@google.com; tlr@w3.org
Subject: Re: Proposals for Compliance issue clean up

 

Good Morning Mike, pls see below…

 

 

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Saturday, November 10, 2012 10:40 AM
To: <public-tracking@w3.org>
Cc: <ifette@google.com>, <tlr@w3.org>
Subject: RE: Proposals for Compliance issue clean up
Resent-From: <public-tracking@w3.org>
Resent-Date: Sat, 10 Nov 2012 15:41:40 +0000

 

It has been pointed out to me that my last message may have been too brief to be constructive, for which I apologise.

 

I was simply offering an opinion, namely that the early decision (to make the compliance spec mean different things to sites receiving DNT:1)  is one of the reasons our process is stuck, which in turn has opened it up to ridicule. My interjection was to what I perceived as an example of this, applying the 1st party rule to redirector hosts.

 

Agree completely re: the 1st party and 3rd party distinctions – when taken to the extreme – are creating all kinds of issues with the spec. Specifically, (and at risk of sounding like a broken record) significant anti-competitive issues, a negative impact upon diversity of content choices for Users, and (quite ironically) little to no improvement on consumer privacy choices. Although given that we haven't done a great job as a group of articulating the privacy harms we're trying to address, I suspect this final point may be lost on some.

 

I may have missed your point re: redirector hosts. What is the issue we're trying to get at by pushing for redirector hosts to be treated as 3rd parties?

 

 

I think it also underlies the emotional reaction to debates shown by some, either because they feel disadvantaged by the lack of a level playing field, or they feel that the original conception of DNT as a simple declarative indication of intent has been lost.

 

I believe the idea was a compromise in order to reach agreement, but that has patently not happened. In fact it has had the opposite effect.

 

Because only servers accessed in a 3rd party context need to amend their business practices, companies naturally try to ensure their operation is in the other category. This has led to continued debate about how the  categories are defined and differentiated  in the TPC and overly complex additions of protocol elements to the TPE. For example, extra qualifiers in the request and the response headers have had to be invented, which Ian pointed out was becoming tedious.

 

I also think this had made reaching agreement on exemptions more difficult, because DNT has a greater impact on parties that rely on 3rd party elements and do not have the high traffic sites. This fundamental unfairness has led to some inventing ever more exemption categories to get their operations off the hook.

 

My opinion is that there should be no difference in the compliance spec between 1st and 3rd parties, the DNT:1 signal should mean UUIDs must not be allocated or used without consent, and we should put more effort in designing an effective and transparent exception protocol. As has been pointed out many times this distinction cannot apply in Europe anyway. The reason most of us are here is to respond to people’s unease about privacy and loss of trust in the web, and we should primarily address that.

 

As I've said, I'm increasingly uncomfortable with a complete first party immunity to the DNT spec. But outside of trying to reign this notion in a bit, I've been unable to come up with a solution that would not result in accusations that I'm trying to blow up the whole process here.  

 

Can you sketch out your idea a bit more? Are you advocating that items like frequency capping would be covered under Permitted Uses? Or are you saying that the storage of ANY UDID (other than fraud, security, etc) post enactment of DNT would be off limits?

 

 

Mike

 

 

 

From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: 10 November 2012 09:20
To: ifette@google.com
Cc: public-tracking@w3.org
Subject: RE: Proposals for Compliance issue clean up

 

Ian,

 

Redirections are invisible to users so we cannot give the parties that host them carte blanche to ignore DNT. The 1st party/ 3rd party distinction is starting to make this whole process look ridiculous.

 

Mike

 

From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com] 
Sent: 09 November 2012 21:07
To: Aleecia M. McDonald
Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)
Subject: Re: Proposals for Compliance issue clean up

 

Aleecia, there was proposed text as an alternative to ISSUE-97/ACTION/196. See my work on ACTION-303 and proposals on that thread. http://www.w3.org/2011/tracking-protection/track/actions/303

 

In particular, I am not satisfied with redirects being treated as third parties and would object to that concept.

 

-Ian

 

On Fri, Nov 9, 2012 at 12:04 PM, Aleecia M. McDonald <aleecia@aleecia.com> wrote:

Here are places we might have straight-forward decisions. If there are no responses within a week (that is, by Friday 16 November,) we will adopt the proposals below.


For issue-97 (Re-direction, shortened URLs, click analytics -- what kind of tracking is this?)  with action-196, we have text with no counter proposal. Unless someone volunteers to take an action to write opposing text, we will close this with the action-196 text.
        PROPOSED: We adopt the text from action-196, http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html

For issue-60 (Will a recipient know if it itself is a 1st or 3rd party?) we had a meeting of the minds (http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0129.html) but did not close the issue. We have support for 3.5.2 Option 2, http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def-first-third-parties-opt-2, with one of the authors of 3.5.1 Option 1, http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def-first-third-parties-opt-2 accepting Option 2. There was no sustained objection against Option 2 at that time. Let us find out if there is remaining disagreement.
        PROPOSED: We adopt 3.5.2 Option 2, http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#def-first-third-parties-opt-2

For action-306, we have a proposed definition with accompanying non-normative examples
        PROPOSED: We adopt the text from action-306 to define declared data, to be added to the definitions in the Compliance document, http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0296.html
        PROPOSED: We look for volunteers to take an action to write text explaining when and how declared data is relevant (See the note in 6.1.2.3, http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#first-party-data) to address issue-64

        Aleecia
Received on Monday, 12 November 2012 20:16:22 UTC