RE: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track from Shane Wiley on 2012-02-06 (public-tracking@w3.org from February 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Mon, 6 Feb 2012 07:33:27 -0800
To: Nicholas Doty <npdoty@w3.org>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8023D0C8AC58F@SP2-EX07VS02.ds.corp.yahoo.com>

Nicholas,

There is the "general rule" and then there is the list of "operational exceptions".  I believe I've been responding to the "general rule" and am relying on the "operational exceptions" to allow for the use of cross-site data that's been collected for narrow purposes (such as security or general financial reporting, for example).

- Shane

From: Nicholas Doty [mailto:npdoty@w3.org]
Sent: Friday, February 03, 2012 4:28 PM
To: Shane Wiley
Cc: Tracking Protection Working Group WG
Subject: Re: ACTION-75: Write-up a hybrid of Do Not Profile and Do Not Cross-Site Track

Hi Shane,

Sorry for the confusion, but this gives me more questions, as I didn't realize the Service Provider concept was important for this proposal.

Do you mean "Service Provider" in the sense of the outsourcing exception currently defined in 3.6.1.2 http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#TypesofTrackingOutsourcing? I thought the Cross-Site Track proposal allowed third parties to collect siloed data for their own purposes (targeting advertising, etc.) which would be contrary to the current text as I understand it.

If this proposal is compatible with the current outsourcing exemption, then that's great news and I think we're one step closer to consensus.

On Feb 3, 2012, at 12:22 PM, Shane Wiley wrote:
3rd parties MUST NOT collect data across multiple, non-affiliated or branded websites.
<Non-Normative> Data collected by a 3rd party MUST be segregated according to the 1st party from which it was collected.  A 3rd party MUST NOT aggregate, correlate or use together data that was collected on different 1st party sites.

Do these next three statements only apply to data collected across multiple sites? Or to any data that a third party collects about a user?  [Correct - only data collected across multiple sites - as profiling only for a single site falls under the 1st party definition (as a Service Provider with no independent rights to use this data elsewhere).]

3rd parties MUST NOT add collected data to a "profile" of a user.

3rd parties MUST NOT leverage previously collected data to profile a user or to alter a user's experience.

3rd parties MUST NOT attempt to personally identify a user.

If these only apply to data collected across multiple sites, I'm not sure the first at least is necessary. If I can't collect data about a user across sites, it would be impossible to use that not-collected data to add to a profile of them, right?

[Logically you could argue it that way but we added this statements to make the prohibition very clear and to lower the risk of logic entanglement arguments.]

I see now, thanks. I still find the language confusing per the below, but I'm all for making statements clear even if it requires some level of redundancy.

Also, if that assumption is right, then the language seems confusing to me; 3rd-parties would be allowed to add data to profiles, leverage previously collected data to alter a user's experience or identify a user, as long as they were doing so with data they hadn't combined across sites, right?

[Correct - as a Service Provider to a 1st party with no independent rights to use this data elsewhere.]

Thanks,
Nick

Received on Monday, 6 February 2012 15:41:28 UTC