- From: David Singer <singer@apple.com>
- Date: Tue, 03 Jan 2012 15:18:30 -0800
- To: "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-id: <D1903891-F5CC-49F6-8E5D-47183911E617@apple.com>
Issue number: 23
Issue name: Possible exemption for analytics
Suggested retitle: Possible exemption for outsourcing
Issue URL:
http://www.w3.org/2011/tracking-protection/track/issues/23
Section number in the FPWD: 3.4 Types of Tracking
Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
Specification:
A third-party site may operate as a first-party site if all the following conditions hold:
the data collection, retention, and use, complies with at least the requirements for first-parties;
the data collected is available only to the first party, and the third party has no independent right to use the data;
the third party makes commitments to adhere to this standard in a form that is legally enforceable (directly or indirectly) by the first party, individual users, and regulators; data retention by the third party must not survive the end of this legal enforceability;
the third party undertakes reasonable technical precautions to prevent collecting data that could be correlated across first parties.
Non-normative Discussion:
The rationale for rule (2) is that we allow the third party to stand in the first party’s shoes – but go no further. The third party may not use the data it collects for “product improvement,” “aggregate analytics,” or any other purpose except to fulfill a request by a first party, where the results are shared only with the first party.
Rule (3) allows for the possibility of more than one level of outsourcing.
In rule (4), one component of reasonable technical precautions will often be using the same-origin policy to segregate information for each first-party customer.
Note that any data collected by the third party that is used, or may be used, in any way by any party other than the first party, is subject to the requirements for third parties.
Example:
ExampleAnalytics collects analytic data for ExampleProducts Inc.. It operates a site under the DNS analytics.exampleproducts.com. It collects and analyzes data on visits to ExampleProducts, and provides that data solely to ExampleProducts, and does not access or use it itself.
Text that possibly belongs in other sections:
When the third party sends a response header, that header must indicate that that they are a third party and that they are operating under this exception.
Note that a third party that operates under a domain name or other arrangement that makes it appear to the user as if they are the first party, or a part or affiliate of the first party, is nonetheless a third party and is subject to the requirements of this clause ("DNS masquerading").
Issue number: 34
Issue name: Possible exemption for aggregate analytics
Suggested retitle: Possible exemption for unidentifiable data
Issue URL:
http://www.w3.org/2011/tracking-protection/track/issues/34
Section number in the FPWD: 3.4 Types of Tracking
Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
Specification:
A third party may collect, retain, and use any information from a user or user agent that, with high probability, could not be used to:
1) identify or nearly identify a user or user agent; or
2) correlate the activities of a user or user agent across multiple network interactions.
Examples:
1. A third-party advertising network records the fact that it displayed an ad.
2. A third-party analytics service counts the number of times a popular page was loaded.
Non-Normative Discussion:
This exception (like all exceptions) may not be combined with other exceptions unless specifically allowed. A third party acting within the outsourcing exception, for example, may not make independent use of the data it has collected even though the use involves unidentifiable data. A rule to the contrary would provide a perverse incentive for third parties to press all exceptions to the limit and then use the collected data within this exception.
A potential ‘safe harbor’ under this clause could be to retain only aggregate counts, not per-transaction records.
Text that possibly belongs elsewhere:
Possible advances in de-anonymization that make previously non-identifiable data, identifiable, should be considered.
[Maybe need an issue: whose problem is it when data from disparate sources, all but one of which are anonymous, is combined to achieve de-anonymization?]
Received on Tuesday, 3 January 2012 23:18:58 UTC