Dear TPWG,
ISSUE-5 raised the question how to define tracking. After weeks of productive discussions, we have chosen three alternative proposals of how to resolve ISSUE-5, documented below.
The goal of this Call for Objections is to choose the proposal which draws the least substantiated objections.
Please document for each option why you cannot live with a given option and what would need to be done to resolve your concerns. Note that this is not a vote, i.e., substance and not only numbers count.
Once we have resolved ISSUE-5 it will be used for at least two purposes: (a) Define scope of the work in document introduction(s) (b) Define user preference in a broad sense (e.g., what a user requests when she says DNT: 1)
Regards, Carl, Justin, Matthias
Candidate (A): Tracking across multiple distinct contextsemail October 16; discussed on 2013-10-23 teleconference. Amended by Roy in response to comments received.
DefinitionTracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.
The above definition depends on collection, retention, use, and sharing being defined along the lines of the editors' draft or as clarified by Vinay's proposals.
The above definition also depends on there being a definition of context that bounds a scope of user activity, though it is not dependent on any particular definition of that term. For example, something along the lines of: For the purpose of this definition, a context is a set of resources that share the same data controller, same privacy policy, and a common branding, such that a user would expect that data collected by one of those resources is available to all other resources within the same context.
The above definition also assumes that an explanation of permitted tracking will occur as well, presumably in the introduction along with the definition of tracking, so that a reader won't be misled about the user's expressed preference being the same as compliance. For example, something along the lines of: Some servers might perform tracking regardless of the user's expressed preference; for example, a service might have obtained prior consent that allows them to track the user, or a service might limit its tracking to specific purposes that are allowed under a given compliance regime (see Section XX).
Candidate (B): Retention/use associated with user, user agent, device DefinitionIn general terms, tracking is the retention or use after a network transaction is complete, or sharing, of data that is, or can be, associated with a specific user, user agent, or device.
Non-normative TextTracking may result in the compilation of a database about a person and their online activity, perhaps without their knowledge. Harms from this might include direct ones, such as differential pricing or service provision, through to major ones, including the consequences of public revelation of the database, access to it by persons with criminal intent, or its use by government or other bodies.
Note that the extent to which tracking data may nonetheless be retained in the presence of this signal under some circumstances is defined in the companion specification.
NotesThe following non-normative text was previously here, but would be out of place in the TPE, and is premature for the Compliance document. So the above text is suited to the TPE, and we can settle on the non-normative text that reflects Compliance when we get there.
However, this recommendation assumes that by choosing to visit a site, users allow First Parties to retain and use tracking data they collect directly, or indirectly via Service Providers (though there are restrictions on sharing); and it allows Third Parties to claim permission to retain tracking data under some specific conditions (e.g. for security, auditing, or for deferred processing of raw data).
Candidate (C): No definitionOriginally proposed by jmayer; supported 2013-10-30 from Jack Hobaugh.
No definition; remove from Definitions section, rest of document unchanged.
Prior Proposals Proposal (1): Tracking browsing activity across multiple distinct contextsProposal from Roy Fielding; issue-5
New textTracking is the act of following a particular user's browsing activity across multiple distinct contexts, via the collection or retention of data that can associate a given request to a particular user, user agent, or device, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. For the purposes of this definition, a context is a set of resources that share the same data controller and a common branding, such that a user would expect that data supplied to one of the resources is available to all of the others within the same context.
Updated, shorter versionemail October 16; discussed on 2013-10-23 teleconference.
Tracking is the observation of a particular user's browsing activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.
Proposal (2): No definitionNo definition; remove from Definitions section, rest of document unchanged.
Proposal (3): No change from text in 02 October 2013 EDTracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device.
Proposal (4): Any form of collection, retention, or use New textTracking is any form of collection, retention, use and/or application of data that are, or can be, associated with a specific user, user agent, or device.
non normative explanation: Tracking is not exclusively connected to unique ID cookies. Tracking includes automated real time decisions, intended to analyse or predict the personality or certain personal aspects relating to a natural person, including the analysis and prediction of the person’s health, economic situation, information on political or philosophical beliefs , performance at work, leisure, personal preferences or interests, details and patterns on behavior, detailed location or movements. Tracking is defined in a technological neutral way and includes e.g. cookie based tracking technology, active and passive fingerprinting techniques.
Proposal (5): Restore definition from April WD, corrected for grammarProposal from Roy Fielding (via wiki)
New textTracking is the collection of data across multiple parties' domains or services and retention of that data in a form that remains attributable to a specific user, user agent, or device.
Proposal (7)Latest state of discussion on the list (2013-10-22):
In general terms, Tracking is the retention or use after a network transaction is complete, or sharing, of data that is, or can be, associated with a specific user, user agent, or device.
However, this recommendation recognizes that by choosing to visit a site, users allow First Parties to retain and use tracking data they collect directly, or indirectly via Service Providers (though there are restrictions on sharing); and it allows Third Parties to claim permission to retain tracking data under some specific conditions (e.g. for security, auditing, or for deferred processing of raw data).
Proposal (8) == Branding and Contractual ProvisionsThis builds on a definition that was previously submitted by Roy.
'Tracking' is the act of following a particular user's browsing activity across multiple distinct contexts, via the collection or retention of data that can associate a given request to a particular user, user agent, or device, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. For the purposes of this definition, a context is a set of resources that EITHER: a) share the same owner, data controller and a common branding, such that a user would expect that data supplied to one of the resources is available to all of the others within the same context, OR b) enter into contract with other parties regarding the collection, retention, and use of data, share a common branding that is easily discoverable by a user, and describe their tracking practices clearly and conspicuously in a place that is easily discoverable by the user.
Rationale: I believe that we have WG consensus that common ownership, control and branding provides sufficient transparency and privacy controls. Building on some of David Wainberg¹s recent posts, I believe that branding and contractual provisions provide an equivalent level of transparency and control.
Existing texts Editors' DraftTracking is the retention or use, after a network interaction is complete, of data that are, or can be, associated with a specific user, user agent, or device.
30 April Working DraftTracking is understood by this standard as the collection and retention of data across multiple parties' domains or services in a form such that it can be attributed to a specific user, user agent, or device.
Deleted Change Proposals Superseded by (4): Proposal: Include collectionTracking is the collection, retention, or use of data records that are, or can be, associated with a specific user, user agent, or device.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3