Re: Chairs' decisions on Calls for Objection on tracking/party definitions (ISSUE-5, ISSUE-10)

On Dec 18, 2013, at 8:43 , Justin Brookman <jbrookman@cdt.org> wrote:

> Hi Mike, I appreciate the feedback.  A couple thoughts below (not vetted by other Chairs, so perhaps they disagree with me).  More discussion is welcome.
> 
> On Dec 18, 2013, at 11:22 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:
> 
>> Justin,
>>  
>> Here are my immediate thoughts on the basis of the chairs’ decision.
>>  
>> It is not correct that “the Working Group’s understanding [is] that Do Not Track is not fundamentally intended to limit data collection and use by first parties”. The long standing intention is that DNT should limit the use of collected data by first parties by at least not permitting sharing of it with other parties.
> 
> Yes, but that language is just designed to prevent workarounds to the standard by which parties could still do cross-site tracking.  It doesn't envision any limitations on what the first party can do with the data itself for its own purposes, nefarious or benign.  Option B runs counter to that notion.

No, it really doesn’t.  What users object to is having stuff remembered about them.  They might allow sites that they visit to remember stuff about them, but to pretend that those sites are not building a dossier about the users, and hence tracking them, is foolish.  It *is* tracking, even if the users realize that in order for the internet to function pleasantly, they are going to have to allow it.

This is the serious confusion that resulted in a confusing definition.

> 
>>  
>> My objection was to the ambiguity of Option A which can be read as allowing activity data being collected and retained by anyparty (i.e. third-parties or first-parties), if it was derived solely from within that context. This immediately requires the definition of not only “contexts” but also the definition of data that has been tainted through its association with other contexts, and this could further delay the process of getting to LC.
> 
> We will be discussing whether we need to define or further describe context on the call today.  It would be very helpful if you could present specific textual proposals, though we're not going to adopt a definition of context that radically changes the definition we just agreed to.  I think that data that has been "tainted through its associations with other contexts" would constitute tracking under our definition, though if you want to suggest refining language, I'll bring it to the group to consider.
> 
> To be clear, not saying you should have textual proposals by noon EST today!  But as we move the new issue through the process, specific ideas (as early as possible!) would be appreciated.
> 
>>  
>> This problem arises from trying to smuggle a particular compliance interpretation into the definition of tracking. A better way might be to have non-normative text saying that the DNT header (with the UGE API) has been designed to be primarily a cross-domain signalling mechanism which can be overridden by assumed consent in specific situations as described in the relevant compliance document, or by actual consent signalled by other mechanisms.
> 
> We are not trying to smuggle any compliance notions into the definition of tracking!  

Indeed you very clearly are.  The current split of 1st/3rd parties is very much an artefact of the way that the group has currently defined compliance, and it’s at the core of why you mistakenly rejected option B.  There are many problems with the 1st/3rd split, not least that the definition is not machine testable.  It is not hard to imagine other compliance regimes which have no such distinction, and so using the current ‘first parties can track you’ to define tracking in a contorted way that tries to exclude first parties is absolutely smuggling the current compliance into the definition.

Since many are now arguing that we should explicitly design for a multi-compliance world, this is a serious flaw in the decision.

> We are merely trying to articulate what the signal is designed to convey, and to whom.  The consensus of this group has been that the signal is not designed to tell first parties to not collect data about them.  For that reason, there were stronger objections to Option B.  I'm not entirely sure I understand the non-normative text you're suggesting, but if it's intended to say that DNT is meant to be a cross-domain signal to turn off first party data collection and use, I do not think that would be consistent with the group's decision (and I would argue long-standing agreement) on this issue.
> 
>>  
>>  
>> Mike
>>  
>>  
>>  
>> From: Justin Brookman [mailto:jbrookman@cdt.org] 
>> Sent: 18 December 2013 03:43
>> To: public-tracking@w3.org (public-tracking@w3.org)
>> Subject: Chairs' decisions on Calls for Objection on tracking/party definitions (ISSUE-5, ISSUE-10)
>>  
>> Hello all, we announced the results of the Calls for Objection on tracking and party definitions on last week's call --- the chairs decided that Option A on both had the least strong objections, and would be added as definitions to both the TPE and TCS.  I'm attaching brief explanatory memoranda on both ISSUES that address the group members' substantive objections in some more detail.  I don't expect to discuss the merits of these issues on the call tomorrow, though if there are questions about what the decisions mean for the work going forward, feel free to bring them up!  Thanks again to all for their contributions and hard work on finalizing the TPE document for last call; I do believe the end is in sight.
>>  
>>  
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 18 December 2013 17:00:51 UTC