Re: [ISSUE-5] What is the definition of tracking? from John Simpson on 2012-03-06 (public-tracking@w3.org from March 2012)

From: John Simpson <john@consumerwatchdog.org>
Date: Tue, 6 Mar 2012 15:43:50 -0800
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <2E47CA25-32C5-4743-8C32-52E467BD2E14@consumerwatchdog.org>
Roy,

I support your definition of tracking and thank you for offering it. It should be included at least as an option in the next public working draft of the Compliance and Scope spec.

As you know, you and I have different views about the need for some definitions.  I'm a minimalist and behavioralist. If definitions are contentious you simply don't need to go there. A DNT spec need only state how to send the message, how to respond and what the obligations are when the message is received.  You don't need a theological or philosophical explanation of why, in my view.

However, if the WG believes we need to define tracking,  then your definition does so in a straight-forward way that is in keeping with user expectations.

I do have clarifying questions:  As I read you text it would preclude passive fingerprinting (i.e. IP address + User-Agent logs).  Am I correct?  Should we specifically call out that practice?

Cheers,
John



On Mar 4, 2012, at 3:36 PM, Roy T. Fielding wrote:

> Color me frustrated.  The definition for tracking provided in the
> Compliance document is not distinguishable from any request to a
> third-party site while rendering a page, nor does it reflect what
> a common user's expectation would be for that term, nor does it
> reflect any of the regulatory descriptions of the term.
> 
> Here is the current definition:
> =========
>  3.7 Tracking
> 
>  Tracking is the collection or use of user data via either a
>  unique identifier or a correlated set of data points being
>  used to approximate a unique identifier, in a context other
>  than "first party" as defined in this document. This includes:  			
> 
>   • a party collecting data across multiple websites,
>     even if it is a first party in one or more (but not all)
>     of the multiple contexts
> 
>   • a third party collecting data on a given website
> 
>   • a first party sharing user data collected from a DNT-on
>     user with third parties "after the fact".
> 
>  Examples of tracking use cases include:
> 
>   • personalized advertising
>   • cross-site analytics or market research that has not been de-identified
>   • automatic preference sharing by social applications
> 
> =========
> 
> The WG needs a definition that only applies to the act of tracking,
> since otherwise the entire Web (every image, CDN, stylesheet, etc.)
> is a false positive.  The WG needs a definition that is specific and
> consistent with user expectations, since otherwise "allow tracking"
> fails as a mechanism for consent.
> 
> Here is my proposed replacement text:
> 
> =========
> 
> Tracking is defined as following or identifying a user, user agent,
> or device across multiple visits to a site (time) or across multiple
> sites (space).
> 
> Mechanisms for performing tracking include but are not limited to:
> • assigning a unique identifier to the user, user agent, or device
>  such that it will be conveyed back to the server on future visits;
> • personalizing references or referral information such that they will
>  convey the user, user agent, or device identity to other sites;
> • correlating data provided in the request with identifying data
>  collected from past requests or obtained from a third party; or,
> • combining data provided in the request with de-identified data
>  collected or obtained from past requests in order to re-identify
>  that data or otherwise associate it with the user, user agent,
>  or device.
> 
> A preference of "Do Not Track" means that the user does not want
> tracking to be engaged for this request, including any mechanism
> for performing tracking, any use of data retained from prior tracking,
> and any retention or sharing of data from this request for the purpose
> of future tracking, beyond what is necessary to enable:
> 1) the limited exemptions defined in section XX;
> 2) the first-party (and third-parties acting as the first-party)
>    to provide the service intentionally requested by the user; and
> 3) other services for which the user has provided prior,
>    specific, and informed consent.
> 
> =========
> 
> I believe this new definition of tracking and the corresponding
> definition of "Do Not Track" will allow us to move beyond the
> arguments over broad exemptions and instead focus on transparency
> and individual control.  It allows the user to clearly state that
> they don't want tracking outside the first-party context and
> don't want any of the data retention/sharing effects of tracking.
> 
> The tracking status resource can convey exactly what tracking is
> performed by a site, if any, for a given resource and DNT value,
> including what limited exemptions are applicable.  Users (through
> user agent choice or configuration) can decide what services to use,
> or avoid, based on that transparency and not just a single on/off bit.
> 
> It separates the act of tracking from the mechanisms for doing
> tracking and the kinds of data retained from tracking.  The former
> is far easier to define in general, and the latter two will change
> over time as technologies change.
> 
> It allows a first-party service (including its outsourced
> contractors) to perform the service intentionally requested
> by the user, which may include personalization, analytics,
> or social networking as appropriate for that service, since
> otherwise a DNT enabled user would be constantly interrupted
> by consent dialogs just to do what they had already requested.
> A first-party might change their service upon receipt of DNT,
> such as by disabling social networking features, but that is
> presumed to be governed by the nature of the first-party
> service and the privacy options configured directly with
> that first-party.
> 
> It also recognizes that the user can provide prior consent
> for some services that will override the DNT signal, via
> mechanisms outside the scope of this standard, such as
> for paid audience survey tracking or content-by-subscription.
> Such an override, if active for the user, would be reflected
> in the tracking status response.
> 
> I would like to see this new text as at least an option in
> the upcoming compliance WD.  Also, IMO, the definitions of
> user, user agent, device, and tracking should be moved up to
> the start of the first section, or the detailed explanation
> of things like "first-party" moved into a later section, so
> that the details don't overwhelm the purpose of this document.
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Tuesday, 6 March 2012 23:44:08 UTC