The document introduces the Tracking Protection Working Group (TPWG) at the World Wide Web Consortium (W3C). It summarizes the TPWG's goal of developing standards around a "Do Not Track" browser header to express user preference not to be tracked online. It outlines the co-chairs and process for writing three standards documents. It also discusses some of the major issues still to be resolved, including how to define first, second, and third parties as well as permitted third party uses.
1. Tracking Protection
Working Group
Aleecia M. McDonald
3 May, 2012
1
Friday, May 4, 12
2. Introduction of the W3C
✤ World Wide Web Consortium
creates international standards
for the Internet
✤ Sir Tim Berners-Lee
✤ Created the World Wide Web,
1989
✤ Created the W3C, 1994
✤ Successful track record with standards for HTML, XML, CSS, etc.
✤ Hundreds of billions of dollars of commerce runs on W3C standards 2
Friday, May 4, 12
3. Introduction of co-chairs
✤ Aleecia M. McDonald ✤ Matthias Schunter
✤ Half-time Mozilla Senior ✤ IBM Research in Switzerland
Privacy Researcher
✤ Focus on cloud computing,
✤ Half-time Stanford security, and privacy
Resident Fellow
✤ P3P standards experience
✤ Prior: PhD privacy; software
start ups
3
Friday, May 4, 12
4. Approach for Do Not Track
✤ User agent expresses a preference not to be tracked
HTTP header of
DNT:1
✤ Shipping today; standards work answers “what does tracking mean?”
✤ Websites / applications choose to honor DNT, confirm with response
✤ Adoption is entirely voluntary; W3C cannot compel members to act
4
Friday, May 4, 12
5. Diverse TPWG Membership
✤ 70+ group participants, plus observers
✤ Browser companies: Apple, Google, Opera, Microsoft, Mozilla
✤ Wide membership range including Alcatel-Lucent; Adobe; AdTruth;
Article 29 Working Party; AT&T; CDD; CDT; Chapell & Associates;
Deutsche Telekom; EFF; ESOMAR; Facebook; IAB Europe; Nielsen;
Nokia; Online Publishers Association; TRUSTe; Yahoo!; The Walt
Disney Company
5
Friday, May 4, 12
6. Writing Standards Documents
1. Definitions & Compliance 2. Tracking Preference Expression
✤ Chair: Aleecia M. McDonald ✤ Chair: Matthias Schunter (IBM)
(Mozilla)
✤ Editors: Roy Fielding (Adobe),
✤ Editors: Justin Brookman & Erica David Singer (Apple)
Newland (CDT); Sean Harvey &
Heather West (Google) 3. Tracking Selection Lists
✤ Chair: Matthias Schunter
✤ Editors: Karl Dubost (Opera);
Andy Zeigler (Microsoft)
6
Friday, May 4, 12
7. Three Types of Parties
1. First party 2. Service provider
✤ Not directly liable for others’ ✤ Agents of first parties,
actions contractual relationship
✤ Very few restrictions ✤ Cannot share data across
multiple first parties or use
✤ Cannot share data with for their own purposes
others, or else must act as a
third party ✤ Debating exceptions
✤ Can be multiple 1st; depends 3. Third parties with strong
upon meaningful interaction restrictions, plus exceptions
7
Friday, May 4, 12
8. Uniform Signals, Different Results
Eleven Point One
Onze Comma Un
Punt Elf
Elf Komma Eins
8
Friday, May 4, 12
9. Tri-part DNT Signal
✤ Three options
DNT: 1 - enable DNT, user saying “do not track me”
DNT: 0 - do not enable DNT
Nothing - users have not made a selection
✤ US, Nothing: ✤ EU, Nothing:
✤ Users did not choose to ✤ Users did not consent to
enable DNT tracking
✤ Similar to DNT: 0 ✤ Similar to DNT: 1
9
Friday, May 4, 12
10. Site-specific Exemptions
✤ Many countries can have a ✤ Some countries may not allow a
global DNT: 1 value global DNT: 1
✤ Companies want to ask to ✤ Consent may be site-by-site
track anyway
✤ Use same technical mechanism in both cases
✤ Exception specific to advertiser on that particular first party, not
global for the advertiser across the whole Internet and/or
✤ Exception global for a specific third party, Internet wide
10
Friday, May 4, 12
11. Current Big Unresolved Issues
1. Edges of a party 2. Permitted uses for third parties,
perhaps with retention limits,
✤ User expectations and e.g.
branding
✤ Frequency capping
✤ “Discoverable” based on
corporate ownership ✤ Billing and financial logging
✤ 3rd party auditing
✤ Security and fraud
prevention
11
Friday, May 4, 12
12. Opportunities
✤ For feedback: ✤ For media:
✤ Speaking with WG on call ✤ Internet week, May 17th
✤ Joining the WG ✤ Mozilla blog
✤ Community Group ✤ Jonathan’s list of DNT
implementations
✤ Individual comments on Last
Call draft
12
Friday, May 4, 12
13. Interested in Learning Thoughts...
✤ Response mechanism ✤ Hard to get user consent
when brand unknown
✤ HTTP header
✤ Does 3rd party acting as 3rd
✤ Well-known URL party help?
✤ How do you propagate opt-out ✤ Auditing, billing
status now?
✤ Silo data
✤ Consent for specific sites
✤ Biggest technical challenge to
✤ EU consent issues implement?
13
Friday, May 4, 12
14. Tracking Protection
Working Group
Aleecia M. McDonald
3 February, 2012
14
Friday, May 4, 12
15. Photo credits
✤ Tim: http://i.telegraph.co.uk/multimedia/archive/00682/
bernerslee-404_682192c.jpg
✤ Elephant: http://www.flickr.com/photos/paperpariah/2446224424/
sizes/o/in/photostream/
✤ Adam Foster | Codefor
✤ “! danger elephants at Knowsley Safari Park?”
✤ Cash register: http://www.flickr.com/photos/teflon/4995681266/
✤ Martin Deutsch
15
Friday, May 4, 12