- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 30 Nov 2011 12:35:40 -0800
- To: Jeffrey Chester <jeff@democraticmedia.org>
- Cc: "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
On Nov 30, 2011, at 10:36 AM, Jeffrey Chester wrote: > In addition, although sites might be commonly owned--as in Google/YouTube--the tracking and targeting approaches can be different. Consequently, users should not be expected to safely assume that they understand all the ways they can be tracked and data collected even by a commonly owned entity. So the focus should be, as I believe we all agree, on maximizing consumer privacy. Maximizing consumer privacy is an unbounded wish, not the focus of this group. DNT is about HTTP tracking of users from sites that might be trusted to sites that might not be trusted and the sharing of personally identifiable or behavioral information collected at one site with any other site that a user would not have expected to have deliberately provided that information. It doesn't matter how the data is collected or how the user is tracked -- what matters is that a user's choice to provide data to one site does not imply that they want the same data (or generalizations based on that data) to effect their interactions with, be observable by, or be retained by other sites. So, we our specifying a means for the user to express that they do not wish such data to be retained/used by any site other than the one that they deliberately decided to provide it to, along with a set of constraints on recipients of such data when the DNT expression is enabled. This requires that we distinguish between sites that have been deliberately chosen by the user to receive the data (a.k.a., first parties) and anyone else who just happens to receive that data because of how browsers request, process, and render page elements provided by the first party. It also requires that we define the scope of a "site" as an aspect of the user's perception of their own deliberate decision, rather than a more technical term like domain (an artifact of DNS) or same-origin (an artifact of web application security). That is the technical problem we are trying to solve. All of the input documents state it that way, not as a salvation for privacy in general. All of the participants at the Cambridge F2F agreed that the constraints did not apply to non-sharing first-party sites. The issue would have been closed then if it were not for the minor detail that we had no definition for "first-party" and thus couldn't reasonably resolve to an unknown. There are many other privacy concerns that have nothing to do with DNT. For example, how Amazon presents behavioral advertising within its own site based on information collected on that customer within its own site. Those settings can be controlled in the Amazon account profile, not in HTTP. Amazon may choose, for its own business reasons, to modify its own behavior based on the presence of DNT, but there are no requirements or expectations in the protocol for it to do so. They are not a privacy concern because the user is deliberately using their services, Amazon does not share that data with third parties AFAIK, and Amazon provides a way to edit, delete, or disable its use for personalization and targeting. We don't have to make a standard for them because there is nothing in HTTP or HTML that tells a user where they can choose to shop. Likewise, the set of interactions that occur wholly within the Google+ or Facebook site that represent deliberate choices by the user to make use of those services are not a subject relevant to this WG. We are only focusing on cross-site interactions that are not a deliberate choice of the user. That's how DNT has been presented in all of the original proposals and is the basis for why companies like Adobe are participating in this process. People who want DNT to be successful do not want it to impact deliberate choices by the user because that will result in the same failures as previous attempts to convince people to turn off cookies. The only way that features like this make sense is if it is easier to obey with degraded service than it is to tell the user to turn DNT off first. Whether or not Google and Youtube are considered the same site depends on both site ownership (control) and appearance (branding). What matters is that the user thinks they are, or are not, the same site when providing the data. This is not a problem that we can solve in HTTP, nor is it a problem that we need to solve in DNT. The site owners need to decide the extent of their own same-branding and thus the extent to which they can internally share data without violating the user's expressed consent. DNT cannot usefully define it any more than that because neither same-branding nor same-ownership are observable within the protocol. The user's expectations, however, can be enforced by users or regulators by choosing to boycott their services or more directly by filing lawsuits. Hence, any widening of the first-party definition is inherently governed by real user expectations, not by anything we document within the spec. It is in the site's best interests to obey those expectations. ....Roy
Received on Wednesday, 30 November 2011 20:36:23 UTC