Re: tracking-ISSUE-240 (Context): Do we need to define context? [Tracking Preference Expression (DNT)] from David Singer on 2013-12-19 (public-tracking@w3.org from December 2013)

From: David Singer <singer@apple.com>
Date: Thu, 19 Dec 2013 10:16:27 -0800
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <666BD6D1-9A98-4DFE-B015-5F21FA968FA2@apple.com>
On Dec 19, 2013, at 1:56 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote:

> Hi Lee,
> 
> fyi: If you split this sentence in two parts, "expectation" is out of the picture:
> 
> NORMATIVE
> 
> A context is a set of resources that share the same data controller, same privacy policy, and a common branding.
> 
> NON-NORMATIVE
> 
> A user should be able to  expect that data collected by one of those resources is available to all other resources within the same context.

this is more of a warning than a positive statement, so it might be better phrased as such:

A user should expect that data collected by one of those resources may be made available to all other resources within the same context.

> 
> IMHO With this definition of context, however, our ISSUE-5 definition seems to imply that all contexts (the first party and each individual third party) would be permitted to "track" the user locally. Only the correlation/linking of data across contexts would be disallowed. E.g., a third-party element can still record user behavior and do frequency capping and set an identifying cookie, …

you’re getting closer to my prior (rejected) definition of cross-site:  holding data that associates the user with a ‘context’ other than your own. 

> 
> 
> Regards,
> 
> Matthias
> 
> Am 18.12.2013 23:02, schrieb Lee Tien:
>> "Context" confuses me.  For instance, this language...
>> 
>>>>> "For the purpose of this definition, a context is a set of resources that share the same data controller, same privacy policy, and a common branding, such that a user would expect that data collected by one of those resources is available to all other resources within the same context."
>> ...seems clearly to rely on user expectations.  I don't have a fundamental problem with that -- but many in the group argued a while back that they could not know what a user would expect.
>> 
>> Lee
>> 
>> 
>> On Dec 18, 2013, at 12:36 PM, Justin Brookman wrote:
>> 
>>> Right, I think I understand you now.  I think that would be a perverse reading of context --- and not one that any working group participant would want --- but we can make that more clear.  I think Roy's notion is that there are *millions* of different contexts out there, and DNT is a request that servers not merge data across those contexts.
>>> 
>>> I think that most participants would be willing to offer clarifying language on at least that point, but the harder question is what other guidance we want to add.  I think Roy's language is a good starting point, but I'd be interested to hear other ideas.
>>> 
>>> On Dec 18, 2013, at 2:25 PM, David Singer <singer@apple.com> wrote:
>>> 
>>>> The point I made on the call I will put here just for the record.
>>>> 
>>>> We have, in the past, used context to distinguish “first party” and “third party” contexts, i.e. there are only two contexts.  (Well, perhaps also service-provider acting for 1st or 3rd).
>>>> 
>>>> If someone reads this definition of tracking and there is NO definition of context, they might understand
>>>> 
>>>> "the retention, use, or sharing of data derived from that activity outside the context in which it occurred”
>>>> 
>>>> as allowing data collected in “a third party context” and then used or shared also in a “third party context” as staying in the same context, and not tracking.  This is not what Roy writes below or what we intend, but, without a definition, it could be misunderstood that way.
>>>> 
>>>> 
>>>> On Dec 18, 2013, at 10:37 , Tracking Protection Working Group Issue Tracker <sysbot+tracker@w3.org> wrote:
>>>> 
>>>>> tracking-ISSUE-240 (Context): Do we need to define context? [Tracking Preference Expression (DNT)]
>>>>> 
>>>>> http://www.w3.org/2011/tracking-protection/track/issues/240
>>>>> 
>>>>> Raised by: Justin Brookman
>>>>> On product: Tracking Preference Expression (DNT)
>>>>> 
>>>>> The definition of tracking that was adopted by the group includes a concept of "context" that some members have asked that the text define more clearly.
>>>>> 
>>>>> Roy Fielding was the author of this definition, and included this language on context in the Call for Objections poll:
>>>>> 
>>>>> The above definition also depends on there being a definition of context that bounds a scope of user activity, though it is not dependent on any particular definition of that term. For example, something along the lines of: "For the purpose of this definition, a context is a set of resources that share the same data controller, same privacy policy, and a common branding, such that a user would expect that data collected by one of those resources is available to all other resources within the same context."
>>>>> 
>>>>> Alternatively, the group might decide that the common sense meaning of context is sufficient, as it more closely approximates a user's general intent in turning on the Do Not Track signal.
>>>>> 
>>>>> We will continue discussion of this topic on the January 8th call, but we encourage discussion of these (and other) ideas on the list in the meantime.
>>>>> 
>>>>> 
>>>>> 
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>> 
>>>> 
>>> 
>>> 
>>> 
>> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 19 December 2013 18:16:56 UTC