Re: [TCS] comments on 17 Feb 2015 editors draft

Responses to some of the comments on this thread are included inline below. I've committed the corresponding changes in revision 1.141: http://www.w3.org/mid/E1YXdAG-0003D8-TT@gil.w3.org

More edits and responses to follow.

Thanks,
Nick

>> 1. Scope
>> 
>>   Do Not Track is designed to provide users with a simple mechanism to
>>   express a preference to allow or limit online tracking. Complying with the
>>   user's preference as described in this document includes limits on the
>>   collection, retention and use of data collected as a third party to user
>>   actions.
> 
> It also limits sharing of data collected as a first party.

I interpret this as a comment that our scope section could be more informative by discussing sharing limitations, including on data collected as a first party to a user action. I've updated to note that and include a mention of permanent de-identification, since that concept is also important to understanding compliance as described here.

>>> Do Not Track is designed to provide users with a simple mechanism to express a preference to allow or limit online tracking. Complying with the user's preference as described in this document includes limits on the collection, retention and use of data collected as a third party to user actions and the sharing of data not permanently deidentified.


>>   This recommendation is intended for compliance with expressed user
>>   preferences via user agents that (1) can access the general browsable Web;
>>   (2) have a user interface that satisfies the requirements in Determining
>>   User Preference in the [TRACKING-DNT] specification; (3) and can implement
>>   all of the [TRACKING-DNT] specification, including the mechanisms for
>>   communicating a tracking status, and the user-granted exception mechanism.
> 
> s/; (3) and can /; and, (3) can /

Fixed, thanks.

>>   Issue 209: Description of scope of specification
>> 
>> 2. Definitions
>> 
>>  2.1  User
>> 
>>   A user is an individual human. When user agent software accesses online
>>   resources, whether or not the user understands or has specific knowledge
>>   of a particular request, that request is "made by the user."
> 
> Note that this differs from the definition in TPE.

There are separate emails on this topic, so I may need to reply on a separate thread as well. However, I think this was pointed out to us by Chris Mejia on a much earlier draft and we realized that the additional "made by the user" language (and differences from TPE) weren't actually used. I'll double-check, but I do think we can remove that extra piece and use the same text as in TPE.

>> 2.5  Subrequest
>> 
>>   A subrequest is any network interaction that is not directly initiated by
>>   user action. For example, an initial response in a hypermedia format that
>>   contains embedded references to stylesheets, images, frame sources, and
>>   onload actions will cause a browser, depending on its capabilities and
>>   configuration, to perform a corresponding set of automated subrequests to
>>   fetch those references using additional network interactions.
> 
> The term subrequest was removed from TPE because we didn't need it.
> It is only used in this specification once -- in 2.8, where it can be
> deleted without any change of meaning (see below).

Yes, always great to remove definitions we've found we don't need.

>>  2.12  Collect, Use, Share, Facilitate
>> 
>>   A party collects data received in a network interaction if that data
>>   remains within the party's control after the network interaction is
>>   complete.
>> 
>>   A party uses data if the party processes the data for any purpose other
>>   than storage or merely forwarding it to another party.
>> 
>>   A party shares data if it transfers or provides a copy of data to any
>>   other party.
>> 
>>   A party facilitates any other party's collection of data if it enables
>>   such party to collect data and engage in tracking.
> 
> We don't use facilitate, so its definition should now be removed.

Great, removed, thanks.

>> 3. Server Compliance
>> 
>>   It is outside the scope of this specification to control short-term,
>>   transient collection and use of data, so long as the data is not shared
>>   with a third party and is not used to build a profile about a user or
>>   otherwise alter an individual user's user experience outside the current
>>   network interaction. For example, the contextual customization of ads
>>   shown as part of the same network interaction is not restricted by a DNT:1
>>   signal.
>> 
>>   Issue 134: Would we additionally permit logs that are retained for a short
>>   enough period?
> 
> The above paragraph seems to be disconnected.  I think it belongs in
> section 1 (Scope).

This paragraph was moved to the beginning of the compliance sections, per your request in ISSUE-218:
http://www.w3.org/2011/tracking-protection/track/issues/218

I believe the reasoning was to make clear at the beginning of the sections describing how servers can comply with a user's DNT:1 preference that some types of data are out of scope, regardless of whether a server is a first party or third party to a given user action. We could lengthen the 1. Scope section -- which would also apply broadly -- but making that section longer and more detailed also makes it harder to read as an overview.


>> 7. Legal Compliance
>> 
>>   Notwithstanding anything in this recommendation, a party MAY collect, use,
>>   and share data required to comply with applicable laws, regulations, and
>>   judicial processes.
> 
> I still think this section is silly, but *shrug* ... Normally, I would
> expect such a party to be non-compliant due to powers that be, rather
> than compliant by escape clause.

I believe I am also in the *shrug* category on this particular point, but I believe we settled on this language because some people in the Working Group found it important and some people in the Working Group didn't care.