Privacy/TPWG/Proposals on the definition of context

From W3C Wiki
< Privacy‎ | TPWG

Please refer to ISSUE-240

Use of context in the definition of tracking

The term context is currently used in the TPE definition of tracking, which was the result of the Call for Objections in November 2013.

Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

Proposal 1 - Common controller and group identity

Text proposed by Roy Fielding:

A context is a set of resources with a common data controller and a group identity that is easily discoverable by a user. Note that this definition of context is intended to represent a typical user's expectations regarding the boundaries of a commonly branded Web site (i.e., what makes it distinct from sites with a different group identity) independent of the technology, domain names, or parties operating that site via one or more origin servers.

Proposal 4 - Related to data controller with common branding

Proposed by Rob van Eijk and Mike O'Neill via email.

A context is limited to the set of resources that share the same data controller, are covered by the same privacy policy, share a common branding, and whose host domains, other than that of the document origin, have been declared in the same-party property of the Tracking Resource.
Non-normative Note:
In case the same-party field is empty, then only the given site is considered to be the same context.
In order for a definition of context to be granular enough to distinguish one context from another, a set of cumulative criteria is proposed. The purpose of this definition is to reflect the user expectations that data collected for a specified purpose by one of those resources is available to all other resources within the same context. Data must not be shared between different contexts. Respect for context and purpose limitation within a context are important core principles for any use of (personal) data within that context. Within any particular network interaction within a context, a user can expect that session states and other data (strictly) necessary to support the activity will be retained or shared.
Given the outcome of the Call for Objections, the full combined tracking-context definition reads as: "Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is limited to the set of resources that share the same data controller, are covered by the same privacy policy, share a common branding, and whose host domains, other than that of the document origin, have been declared in the same-party property of the Tracking Resource."

Proposal 5 - Resources operated by one party

Text proposal by Chris Pedigo, Susan Israel, Rob Sherman on January 22 via email, updated on February 3.

A context is a set of resources that are controlled by the same party or parties.
Note: This refers back to the working group's definition of "party".

Proposal 6 - No definition

Proposal by Chris Mejia

The notion of context is left undefined.

Abandoned Proposals

1(a) Same controller/privacy policy/branding

Proposed by Roy Fielding as part of discussion on tracking definition:

For the purpose of this definition, a context is a set of resources that share the same data controller, same privacy policy, and a common branding, such that a user would expect that data collected by one of those resources is available to all other resources within the same context.