Re: ACTION-110: Write proposal text for what it means to "not track" (ISSUE-119) from Rigo Wenning on 2012-02-18 (public-tracking@w3.org from February 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Sun, 19 Feb 2012 00:15:50 +0100
To: public-tracking@w3.org, Ninja Marnau <nmarnau@datenschutzzentrum.de>
Cc: "Roy T. Fielding" <fielding@gbiv.com>
Message-ID: <8635846.FloezDJtah@hegel.sophia.w3.org>

Roy, Ninja, 

looks like we have two very good proposals on the table. Just to also give my 
recollection from the Brussels meeting: Matthias was complaining about the 
small websites, but also about the Universities that will not do big DNT 
implementation efforts. But they are not tracking either. How do we deal with 
it. Ninja took a first (restrictive) suggestion. Roy toned down a bit (I think 
we have too much misunderstandable EU data protection jargon in Ninja's 
proposal). 

Can you both be clear on: 

1/ Log data (which data for how long?)

2/ Cookie data (session cookies are not in scope anyway, right?)

And can we please stop the confusion of this case with the DNT case for the 
professionals? Only because there are  sites that do not participate in the 
advertisement model (aka Universities) we should not disregard them in our 
solution. And if you really fear that having "normal University sites 
indicating that they do not track" is conveying a bad message on our normal 
DNT specification, than this may be seen as a confession that the industry 
doesn't trust the effectiveness of their own suggestions and that they want to 
re-think their suggestions. But I believe this would be a dead-end discussion, 
especially as I think all the alleged harm is not intended. 

This said, I agree with Aleecia and Roy that we should be careful about the 
concrete wording. "not-tracking" and "really-not-tracking" looks like a bad 
option. Somebody will ultimately come up with a "really-really-really-not-
tracking-fingers-crossed". So I share Roy's concern, but I don't think Ninja 
intended that effect. I remind you that we are in an international context 
here with non-native speakers.

Best, 

Rigo

On Monday 13 February 2012 15:04:24 Roy T. Fielding wrote:
> A party may claim that it is not tracking if
> 
> 1) the party does not retain data from requests in a form
> that might identify a user except as necessary to fulfill that
> user's intention (e.g., credit card billing data is necessary
> if the user is making a purchase) or for the limited purposes
> of access security, fraud prevention, or audit controls;
> 
> 2) when user-identifying data is retained for purposes other
> than to fulfill the user's intention, the party maintains
> strict confidentiality of that data and only retains
> that data for a limited duration that is no longer than is
> necessary to accomplish that purpose, thereafter destroying
> or otherwise clearing the user-identifying data; and,
> 
> 3) the party does not combine or correlate collected
> user-identifying data with any other data obtained from prior
> requests, user-identifying profiles, or data obtained from
> third parties unless specifically directed to do so by the user
> (e.g., when a user initiates a login request) or for the limited
> purposes of inspection for access security, fraud prevention,
> or audit controls.

Received on Saturday, 18 February 2012 23:16:15 UTC