- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 6 Apr 2015 18:42:38 -0700
- To: Tracking Protection Working Group <public-tracking@w3.org>
Looking at the April 1 minutes, it looks like the best course of action
for TPE is to not change anything (i.e., keep the two uses of
"tracking data") given that they can be understood as implied by the
definition of tracking, and even if they are misunderstood it wouldn't
change an implementation.
For TCS, I am still requesting the following changes:
2.9.1 De-identification Considerations:
Remove the four contradictory references to "original tracking data"
because that data isn't allowed to exist;
i.e., replace:
• technical safeguards that prohibit re-identification of
de-identified data and/or merging of the original tracking data and
de-identified data;
• business processes that specifically prohibit re-identification of
de-identified data and/or merging of the original tracking data and
de-identified data;
• business processes that prevent inadvertent release of either the
original tracking data or de-identified data;
• administrative controls that limit access to both the original
tracking data and de-identified data.
with:
• technical safeguards that prohibit re-identification of
de-identified data;
• business processes that specifically prohibit re-identification of
de-identified data;
• business processes that prevent inadvertent release of de-identified data;
• administrative controls that limit access to de-identified data.
2.10 Tracking
Remove the paragraph defining "tracking data".
3.3.1.3 No Personalization
Remove "based on tracking data" because it is redundant;
i.e., replace:
A party that collects data for a permitted use MUST NOT use that
data to alter a specific user's online experience based on tracking
data, except as specifically permitted below.
with:
A party that collects data for a permitted use MUST NOT use that
data to alter a specific user's online experience,
except as specifically permitted below.
3.3.3 Qualifiers for Permitted Uses [EXAMPLE 4]
Replace "tracking data" with "data about that activity".
======
I think all of the above changes should be completely non-controversial,
assuming we are not going to reopen ISSUE-5. I want them done before
proceeding to LC.
After the above changes, the only remaining use of "tracking data" in
TCS is within 3.3:
> 3.3 Third Party Compliance:
>
> When a third party to a given user action receives a DNT:1
> signal in a related network interaction:
>
> • that party MUST NOT collect, share, or use tracking data
> related to that interaction;
>
> • that party MUST NOT use data about network interactions with that
> user in a different context.
I still think that the above is a poor substitute for our definition
of tracking, since it uses a different set of words that can only be
consistent with our definition if we assume "tracking data" =
"data collected about this particular user across multiple distinct
contexts". I would prefer that it used the same words as our definition:
When a third party to a given user action receives a DNT:1
signal in a related network interaction, the party MUST NOT
• collect data from this network interaction that would result in
data regarding this particular user's activity to have been
collected across multiple distinct contexts;
• retain, use, or share data derived from this particular user's
activity outside the context in which that activity occurred; nor,
• use data about this particular user's activity in other contexts
(e.g., to personalize a response to this network interaction).
IOW, I would prefer that it specifically disallow tracking using the
same semantics as expressed by the preference of DNT:1.
However, I can live with going to LC with the existing wording,
assuming that there is no separate definition of tracking data
in TCS that is inconsistent with our definition of tracking.
Cheers,
Roy T. Fielding <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe <http://www.adobe.com/>
Received on Tuesday, 7 April 2015 01:43:03 UTC