w3c/wbs-design or
by mail to sysreq.
W3C
Site Navigation
Nearby
Results of Questionnaire [Call for Objections] Collect/Retain/Use/Share
The results of this questionnaire are available to anybody. In addition, answers are sent to the following email address: team-tracking-chairs@w3.org
This questionnaire was open from 2013-11-13 to 2013-12-04.
6 answers have been received.
Jump to results for question:
1. Objections to Option A
Option A
A party collects data if the data comes within its control.
A party retains data if the data remains within the party's control after the network interaction during which it was collected is complete.
A party uses data if the party processes the data for any purpose other than storage or merely forwarding it to another party.
A party shares data if it transfers or provides a copy of data that it has collected to any other party.
A party facilitates any other party’s collection of data if it enables such party to collect data and engage in tracking.
If you have an objection to this option, please describe your objection, with clear and specific reasoning.
Details
| Responder | Objections to Option A |
|---|---|
| Roy Fielding | I object to this definition of "collects": data collection is inherently about retaining (or giving to someone else) that which is collected. Data that merely comes within control is not collecting: an Internet router isn't collecting data when it forwards it between two peers. I described that extensively in a message to the list on 23 May 2012, which I will recap here. The regulatory bodies use the term "data collection" extensively without actually defining it. As near as I can tell, they rely on the commonly established usage of the term for statistical surveys, something which the government is very familiar with (census) and frequently regulates. "Data collection is the process of gathering data." [2] and "gathering" is itself defined as collection (circular) or as the act of assembling a group of things together in one place. I think we all should understand that collection implies gathering together and at least some form of retention (i.e., either retention by the party doing the collecting, or retention by some other party that received what was collected). "I have a large seashell collection which I keep scattered on the beaches all over the world... maybe you've seen it." -- Steven Wright [1] The above joke by Steven Wright depends on the audience knowing that. We collect seashells by taking them off the beach, not by merely walking by them. We collect photos of seashells by taking each one's picture and retaining that picture, not by snapping the shot and then deleting it from memory. As a technical matter, assigning a pseudo-ID to a user agent via a cookie that is derived from a random source, perhaps combined with codes for algorithmic validation, and merely receiving that cookie in later requests, is not by itself data collection. Data collection would be retaining the cookie value along with the request data, or gathering the data from multiple requests over time in a way that can be traced back to that cookie. This distinction is important because there are many uses of cookies that are not for the purpose of tracking, even though the value is unique per user agent. I only object to the other definitions to the extent they rely on this incorrect definition of collects. [1] http://www.funnyordie.com/videos/a024670721/steven-wright-standup-from-standupfan [2] http://stats.oecd.org/glossary/detail.asp?ID=534 |
| Mike O'Neill | I object to Option A because collecting has to be purposeful, data could "come within control" without any attempt to track. If the data is actively retained after the network interaction then that is another matter, which is why I support Option B more. I also think "merely forwarding" counts as using, because the forwarding must have been for some purpose. I do not like a separate definition of "facilitates" because it weakens the prohibition against "sharing" (when any party sees DNT set). |
| David Singer | It's silly to say I collected something if it was sent to me without my asking. This is problematic, in that if we write 'must not collect' this is unimplementable. Perhaps we would only use 'retain'? |
| Rob van Eijk | I object to Option A because it mixes a definition of party with processing of data. |
| Jack Hobaugh | In general, I object to the porting of a TCS compliance definition into the TPE. I feel strongly that the TPE should remain a pure protocol and technical specification document. Some have contended that some TCS definitions are needed in the TPE in order for the consumer to understand the choice that the consumer is making regarding the DNT signal. This is simply not the case. A technical specification need only specify the requests and responses necessary for a DNT protocol to be implemented in a scalable and implementable solution across all browsers and the servers called. The intended audience for the TPE is made up of technical implementers such as software engineers, developers, and programmers. To be clear, the TPE should not take on the responsibility of informing consumers and attorneys regarding a policy or compliance choice but instead should inform the technical community on how to implement the technical solution. The compliance specification for the DNT signal should be left to the compliance regime, whether it is a national compliance regime, a W3C-based compliance regime or an industry-based compliance regime. Porting definitions from a particular compliance regime into the TPE only serves to provide an incomplete and confusing picture to the software engineers, developers, and programmers who will be tasked with implementing the technical protocol. |
| Alan Chapell | I respectfully object to the inclusion of any of these definitions. It is unclear that any of these terms need to be defined in order to complete the TPE. Moreover, these definitions have dependencies with regard to the definitions of both Party and Tracking which were addressed in a CFO weeks ago. We seem to be doing things in reverse order here. As a standards body, I would hope the W3C would recognize that any terms we choose to define here will have an impact downstream as legislators and regulators around the world will be tempted to utilize such terms. With that in mind, the definition of "facilitates" should not be included as it conflates the concept of "data collection" with the concept of "tracking." |
2. Objections to Option B
Option B
A party collects data received in a network interaction if that data remains within the party’s control after the network interaction is complete.
A party uses data if the party processes the data for any purpose other than storage or merely forwarding it to another party.
A party shares data if it transfers or provides a copy of data that it has collected to any other party.
A party facilitates any other party’s collection of data if it enables such party to collect data and engage in tracking.
If you have an objection to this option, please describe your objection, with clear and specific reasoning.
Details
| Responder | Objections to Option B |
|---|---|
| Roy Fielding | I support these definitions. I would have preferred a small simplification of shares to be: A party shares data if it transfers or provides a copy of that data to any other party. (i.e., there is no reason for shares to be specific to data that has been collected). Also, I don't see any need for a definition of facilitates, but I am okay with defining it just for discussion. |
| Mike O'Neill | For the most part I support Option B, though I think the definition of "facilitates" is redundant (and its existence dilutes the meaning of "shares") |
| David Singer | This has a loophole/bug, in that 'sharing' is defined only after 'collection', so if I pass the data *during* a transaction, it's not 'sharing'. 'shares if it transfers data to another party' (delete 'it has collected'). |
| Rob van Eijk | I am not objecting, but I am not enthousiastic at all either. Preferred would be not to include definitions of this sort at all because, when applied in the EU, they would conflict with EU data protection law. If at all, a general definition of 'processing' would be preferred. E.g., 'Processing' means any operation or set of operations which is performed in a network interaction, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction. |
| Jack Hobaugh | In general, I object to the porting of a TCS compliance definition into the TPE. I feel strongly that the TPE should remain a pure protocol and technical specification document. Some have contended that some TCS definitions are needed in the TPE in order for the consumer to understand the choice that the consumer is making regarding the DNT signal. This is simply not the case. A technical specification need only specify the requests and responses necessary for a DNT protocol to be implemented in a scalable and implementable solution across all browsers and the servers called. The intended audience for the TPE is made up of technical implementers such as software engineers, developers, and programmers. To be clear, the TPE should not take on the responsibility of informing consumers and attorneys regarding a policy or compliance choice but instead should inform the technical community on how to implement the technical solution. The compliance specification for the DNT signal should be left to the compliance regime, whether it is a national compliance regime, a W3C-based compliance regime or an industry-based compliance regime. Porting definitions from a particular compliance regime into the TPE only serves to provide an incomplete and confusing picture to the software engineers, developers, and programmers who will be tasked with implementing the technical protocol. |
| Alan Chapell | I respectfully object to the inclusion of any of these definitions. It is unclear that any of these terms need to be defined in order to complete the TPE. Moreover, these definitions have dependencies with regard to the definitions of both Party and Tracking which were addressed in a CFO weeks ago. We seem to be doing things in reverse order here. As a standards body, I would hope the W3C would recognize that any terms we choose to define here will have an impact downstream as legislators and regulators around the world will be tempted to utilize such terms. With that in mind, the definition of "facilitates" should not be included as it conflates the concept of "data collection" with the concept of "tracking." |
More details on responses
- Roy Fielding: last responded on 21, November 2013 at 02:58 (UTC)
- Mike O'Neill: last responded on 1, December 2013 at 16:26 (UTC)
- David Singer: last responded on 3, December 2013 at 22:51 (UTC)
- Rob van Eijk: last responded on 4, December 2013 at 20:54 (UTC)
- Jack Hobaugh: last responded on 5, December 2013 at 02:54 (UTC)
- Alan Chapell: last responded on 5, December 2013 at 03:56 (UTC)
Everybody has responded to this questionnaire.
Compact view of the results / list of email addresses of the responders
WBS home / Questionnaires / WG questionnaires / Answer this questionnaire
Report issues
on GitHub project