RE: PING - areas where contributions are needed from Mike O'Neill on 2015-10-06 (public-privacy@w3.org from October to December 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 6 Oct 2015 15:06:48 +0100
To: "'Lukasz Olejnik'" <lkasz.olejnik@gmail.com>, <public-privacy@w3.org>
Message-ID: <1ced01d10040$3e17d030$ba477090$@baycloud.com>
Hi Lukasz,

 

In 4.1 the other party has to be a “service provider”, i.e. a party who is contracted never to use collected personal data on its own behalf (unless it is “permanently de-identified”). It is very close in concept to the Data Processor in EU DP law. It is simply acting on behalf of the DNT receiving party i.e. similar to an agent acting “in their shoes”.

 

>From the definition:

For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:

1. processes the data on behalf of the contractee;
2. ensures that the data is only retained, accessed, and used as directed by the contractee;
3. has no independent right to use the data other than in a  <http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/#dfn-permanently-de-identified> permanently de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and, 
4. has a contract in place with the contractee which is consistent with the above limitations.

So I think it is OK. 

 

Thanks for giving your input!

 

Mike

 

From: Lukasz Olejnik [mailto:lkasz.olejnik@gmail.com] 
Sent: 28 September 2015 20:19
To: public-privacy@w3.org
Subject: Re: PING - areas where contributions are needed

 

Dear all,

First of all, this is my first post here so greetings fellow PINGers! I hope to contribute to PING's works here and there.

I would like to address the recent contribution request (https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0138.html).


I wanted to highlight some, perhaps minuscule (perhaps not) things in relation to the Tracking Compliance [3] (http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/#transitive-exceptions) that might deserve a bit of scrutiny.

First of all, this is a good job. Let's hope deployment & actual enforcement
will follow later on.

Now my comments are directed solely at point 4 of this draft, the consent.
Specifically, 4.1 - about transitive consent for data sharing. 
It is naturally a usability feature that has practical means and needs, i.e. to transfer the consent to the service providers. I will follow the draft text and 
use here the example of ads providers as well.

First issue is whether it won't allow the, well, let's poetically call it "consent laundering"? 

Scenario: 

1. User has no previous knowledge of the existence of parties, say, A1, ..., A100.. 
2. User grants consent (for sharing data) to B. 
3. A1, ..., A100 do not wish to ask for consent, for whatever reason. So they use
the service of B to transitively acquire it. 

So perhaps an example party, say A37, could even inject scripts of B, who then would inject scripts of A37...?
Since B can transfer consent, consent is granted to A37. In a manner similar to cookie matching (e.g. using HTTP redirects, as in https://developers.google.com/ad-exchange/rtb/cookie-guide). 
I acknowledge the latter MUST clause, where I do not see any suggestions of enforcement. 

So this is a privacy case with possibly non-obvious implications where consent is being transferred to other party, as a matter of service.


Another comment may touch the "inhibiting adoption" issue. Whether enough flexibility in terms of consent is provided - provided there is a justified need, that is.
In this case let's discuss a situation when, say, the user visits 
site A, a consent (for sharing data) is given to other party B (level 1), and then B (later on) transitively 
provides this to other parties (level 2; C, D, ...), of which the user may not be aware of.
So the thing here is: to how many parties the consent is being granted in this mode? Also, how many levels of consent should be allowed? Should there be any concept of levels at all?

But further, let's assume a site A is including scripts of B (with consent for sharing data), who is an Ad Exchange, running a Real-Time Bidding platform (https://developers.google.com/ad-exchange/rtb/). Then let's assume this platform has 100 bidders - all of them receive data about the user during the RTB protocol. Furthermore, let's say a bidder C wins and is able to deliver an ad. Does C, who may possibly maintain its own tracking infrastructure posses the consent due to the transitivity?

Even more specifically, what happens if C is also an Ad Exchange and runs another round, and has also a number of bidders and in the end some other party D wins and delivers the end-content. So the original consent might possibly be granted to B, going through C and reaching D?

In this case, I think 4.1 is written quite well in terms of generality, but are we sure about the levels of transitivity?

Now to sum it up, consent is obviously required. This is a core principle of privacy. But should there be any limits to transitivity? Or perhaps the points I highlighted might be addressed somehow?

Best regards

Lukasz Olejnik
Received on Tuesday, 6 October 2015 14:07:19 UTC