Re: ISSUE-5: What is the definition of tracking? from Peter Eckersley on 2011-10-13 (public-tracking@w3.org from October 2011)

From: Peter Eckersley <peter.eckersley@gmail.com>
Date: Thu, 13 Oct 2011 15:03:21 -0700
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <CAOYJvnJHBtt1UnSpBzWCi1QS+=PhAV7kFZeP7A_eAj7M4bD0Zg@mail.gmail.com>
My view:

1. Keep the name "Do Not Track" (we already got consensus on that at the
last meeting, I'm not sure why we're talking about it again!).

2. Use a very broad definition of tracking that comports with English and
user expectations.

3. Have a set of *exceptions*: situations in which the standard does not say
that companies MUST NOT track, even though the consumer would clearly prefer
that they not do.  That is just an admission that DNT cannot reengineer all
of the web to be fully privacy-respecting at a single stroke.  Instead, the
standard should focus its MUSTs on the cases where tracking has the lowest
degree of consent and the deepest view into users' reading habits.

4. If there are ways that some/many websites can comply with the request not
to track, even when the standard gives them an exception -- for instance
because they have ways to do strong anonymisation on their 1st party logs
when they see the DNT header: that's great, and should be encouraged but is
not required.

On 13 October 2011 14:44, Kevin Smith <kevsmith@adobe.com> wrote:

> I strongly support finding terminology that more closely matches
> functionality.  I think good evidence of the confusion the current naming
> convention would cause is the number of times this group has had this
> discussion and the number of times this is exact debate has blocked
> consensus on various things.  Put simply, many individuals of our working
> group have expressed that betraying the average user’s expectations
> (unqualified I know, I am just summarizing what I have heard expressed)
> would be a failure, and I do not believe that the terminology “Do Not Track”
> can be easily be reconciled with the expectation that data will not be
> shared across sites.****
>
> ** **
>
> Absolutely there is a large amount of sunk cost in the Terminology “Do Not
> Track”.  There has been a great deal of investment by various players to get
> some traction behind this (hence the reason we are here), and we will
> absolutely lose some of that industry momentum in the short run.  However,
> in the long run, I think this standard will be met with greater success if
> the terminology helps to educate the public on exactly what it hopes to
> accomplish.****
>
> ** **
>
> I am even more lexically challenged than Brett, but perhaps someone more
> creative could do something interesting with titles like:  “Prevent 3rdParty Data Sharing” or “Prevent 3
> rd Party Tracking and Targeting” or even “Prevent cross site tracking”.
> These are perhaps a bit too limiting in scope, but you get the idea.****
>
> ** **
>
> I am confident some people will still be confused or not understand what
> that means, but at least many people’s initial guess will be more accurate.
> ****
>
> ** **
>
> *From:* public-tracking-request@w3.org [mailto:
> public-tracking-request@w3.org] *On Behalf Of *Mike Zaneis
> *Sent:* Thursday, October 13, 2011 2:45 PM
> *To:* Jonathan Mayer; Brett Error
>
> *Cc:* Roy T. Fielding; Tracking Protection Working Group WG
> *Subject:* RE: ISSUE-5: What is the definition of tracking?****
>
> ** **
>
> “The world knows this proposal by”; “our standard will be guided largely by
> user expectations”; “follow-on (consumer) education”.  Can you provide
> support for these statements?  I don’t believe the world knows anything
> about this process.  I don’t believe Jonathan Mayer speaks for the broader
> user community.  As the only organization that has undertaken a consumer
> educational campaign (http://www.iab.net/privacymatters/), I’d be shocked
> if this group delivered on such a promise since this is the first time it
> has been brought up.  ****
>
> ** **
>
> Most of all, I’d appreciate some justification for calling my comments
> hypocritical.  I have repeatedly stated that we cannot deliver a mechanism
> that stops tracking and have provided concrete examples to justify that
> viewpoint.  What is inaccurate about what I’ve written?  ****
>
> ** **
>
> Your point that, “Do Not Track has real messaging force”, tells me that you
> are in favor of keeping it because it is catchy and will draw press
> attention.  That is fine, since that’s one of the options I identified, but
> let’s at least be honest about our intentions.****
>
> ** **
>
> As for attacking the DAA or other self regulatory programs, I believe that
> is truly out of scope for this group so I won’t waste everyone’s time with
> that discussion, but I am happy to take it offline if you’d like.****
>
> ** **
>
> Mike Zaneis****
>
> SVP & General Counsel****
>
> Interactive Advertising Bureau****
>
> (202) 253-1466****
>
> ** **
>
> Follow me on Twitter @mikezaneis****
>
> ** **
>
> ** **
>
> *From:* public-tracking-request@w3.org [mailto:
> public-tracking-request@w3.org] *On Behalf Of *Jonathan Mayer
> *Sent:* Thursday, October 13, 2011 4:32 PM
> *To:* Brett Error
> *Cc:* Roy T. Fielding; Tracking Protection Working Group WG
> *Subject:* Re: ISSUE-5: What is the definition of tracking?****
>
> ** **
>
> I completely share Aleecia's view that the scope of Do Not Track need not
> match how "tracking" is defined in a dictionary.  We're setting a technical
> standard here - it will be very open and explicit about what's covered and
> what's not.  Our standard will be guided largely by user expectations, but
> also by tech, business, law, policy, and politics constraints.  To the
> extent we deviate from user expectations, the onus is on us to explain why
> and how.  But in my view that's a question of follow-on education and
> discussion, not how we write the standard itself.  For example, I think we
> would be wise to produce a page explaining in plain terms what's covered and
> what isn't that all browsers can link to from their privacy settings.  I'm
> not at all concerned about some sort of media backlash about our definition.
>  From the outset almost every stakeholder has been clear that Do Not Track
> is about third-party tracking.  And just about all the press coverage has
> been about third-party tracking.  I'm particularly surprised to hear these
> hypocritical arguments coming from IAB and others in the self-regulatory
> space, since the opt outs y'all currently offer are orders of magnitude more
> misleading than a transparent Do Not Track standard will ever be.****
>
> ** **
>
> As for changing the name from Do Not Track, I would strongly oppose the
> move.  First, it's the name the world knows this proposal by.  (See, e.g.,
> http://www.google.com/trends?q=do+not+track.)  Attempting a retitle to
> "Tracking Preference Expression" caused lots of unnecessary confusion among
> stakeholders.  Second, Do Not Track has real messaging force.  It's no real
> secret that there are differing degrees of influence around the table.  For
> some, myself included, the name has been instrumental in making progress on
> third-party web tracking.****
>
> ** **
>
> Jonathan****
>
> ** **
>
> On Oct 13, 2011, at 1:16 PM, Brett Error wrote:****
>
> ** **
>
> slow clap<< :)****
>
>
> -----Original Message-----
> From: public-tracking-request@w3.org [mailto:
> public-tracking-request@w3.org] On Behalf Of Roy T. Fielding
> Sent: Thursday, October 13, 2011 1:52 PM
> To: Brett Error
> Cc: Tracking Protection Working Group WG
> Subject: Re: ISSUE-5: What is the definition of tracking?
>
> The essential problem with relying on a set of exceptions is that the end
> user cannot be expected to know those exceptions.  All they know is the
> configuration that is set.
> If we give the user an expectation of requesting "Do Not Track"
> and then allow sites to ignore that request on the basis of our set of
> exceptions, then I think regulators will treat this protocol in the same way
> that they treat fine print in contracts.
>
> In other words, we are setting up the situation where the mechanism will be
> implemented according to our standard but the regulations will be
> implemented according to the user's expectations -- nullifying our standard
> in the process.
>
> Users don't see header fields, so there is no need to change the DNT field
> name.  However, my current plan is to stop referring to it as "Do Not Track"
> in the document.
>
> ....Roy
>
> On Oct 12, 2011, at 6:02 PM, Brett Error wrote:
>
> ****
>
> Any time you are recording the behavior/path of something, you are tracking
> it.  There isn't anything we can do to redefine that in a consumer's
> lexicon, nor do I think we really want to.****
>
> ** **
>
> The urge to define "tracking" stems from the concern that  "do not track"
> sounds like it will forbid all tracking.  That, of course, also is not our
> intention so we feel compelled to redefine the word "track" to curtail its
> scope (in more of a legal document type of context).****
>
> ** **
>
> That would be one approach.  We can take (and indeed already are taking) a
> different approach.  ****
>
> ** **
>
> PROPOSAL: Close ISSUE-5 with the following notes:****
>
> ** **
>
> 1) The DNT specification covers a standard way wherein a consumer can
> express a tracking preference.  It is entirely up to the site/service
> whether or not to respect that preference.****
>
> ** **
>
> 2) It is entirely possible for a site/service to be in full compliance with
> the DNT specification, and still track a consumer, EVEN WHEN THAT CONSUMER
> IS EXPRESSING A PREFERENCE AGAINST BEING TRACKED.  An example of this is the
> first party exemption around which we've reached a (conceptual) consensus.
>  There are others being discussed.****
>
> ** **
>
> The notion here is that in certain situations, there may be reasons a party
> may have a right/need to do tracking.  It is our responsibility to define 1)
> what those situations are, 2) how, even in these situations, we do our best
> to protect the spirit of what the consumer is requesting (privacy), and 3)
> how, if at all, the service doing the tracking responds in this type of
> situation so that the consumer's agent can take action (if any).****
>
> ** **
>
> In doing so, we actually define "track" in the context of DNT, but avoid
> the messy aspects of a semantics battle.****
>
> ** **
>
> ** **
>
> -----Original Message-----****
>
> From: public-tracking-request@w3.org ****
>
> [mailto:public-tracking-request@w3.org] On Behalf Of Bjoern Hoehrmann****
>
> Sent: Wednesday, October 12, 2011 6:17 PM****
>
> To: Aleecia M. McDonald****
>
> Cc: public-tracking@w3.org****
>
> Subject: Re: ISSUE-5: What is the definition of tracking?****
>
> ** **
>
> * Aleecia M. McDonald wrote:****
>
> I am not convinced either Roy or I have the first case quite solid ****
>
> yet, perhaps because we have each phrased this as more absolute than ****
>
> what people think. It would be very good if people who think there is ****
>
> more to tracking than just data moving between sites could please ****
>
> chime in with a lucid explanation of what they mean.****
>
> ** **
>
> The Working Group cannot define "tracking" without additional modifiers in
> a manner that is inconsistent with typical english usage. "This user arrived
> on this page and then moved on to that page" is a statement that cannot be
> made if the user's movements around the site are not tracked.****
>
> --****
>
> Björn Höhrmann · mailto:bjoern@hoehrmann.de <bjoern@hoehrmann.de> · ****
>
> http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 ***
> *
>
> · http://www.bjoernsworld.de****
>
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · ****
>
> http://www.websitedev.de/****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>



-- 
Peter
Received on Thursday, 13 October 2011 22:03:52 UTC