W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Outsourcing

From: David Singer <singer@apple.com>
Date: Fri, 04 Nov 2011 12:18:58 -0700
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-id: <AD714993-7CF9-4379-AEA7-DA764D3FD53C@apple.com>
I agree, the 'silo' language needs to be very clear and specific (if you are acting under any 'exemptions' granted to the first party, that you would not otherwise have, then whatever you do has to be only visible/available to the first party).


On Nov 3, 2011, at 12:44 , David Wainberg wrote:

> Directionally, I like the approach, but I would propose revising it to make it cleaner. 
> I prefer "reasonable controls" to "reasonable technical precautions," because it's broader, and could encompass both business controls and technical controls.
> As to what the controls are for, it's to prevent the mingling of data across parties, right?
> I don't know what a "form that renders them legally enforceable" by all of those parties will be, especially across jurisdictions. However, if a company publicly states that it adheres to DNT, and if there's a requirement in DNT for parties in this context to have "reasonable controls" then that's adequate for enforcement, isn't it? I don't disagree with the direction of this, just need to make it workable.
> To your issue about scope, the vendor needs to reserve some independent uses, such as to operate, maintain and improve the service, prevent fraud, etc. They also might disclose data in aggregate form to market the service, or for research. 
> Here's a draft proposal:
> 
> When a vendor or service provider collects or uses [some data] on behalf of another party, that vendor or service provider stands in the same position as the party with regard to DNT if the vendor or service provider: 1) will use the data in non-aggregate form only on behalf of the party, and 2) takes reasonable measures to ensure 1. Whether measures are reasonable depends on particular circumstances, but may include business or technical controls such as [TBD].
> 
> Notes:
> "some data" is a placeholder for a yet to be defined scope of data to which DNT applies
> I broadened to any parties, not just 1st vs 3rd, so that, e.g., vendors of vendors will be covered (and also because I continue to doubt that the 1st vs 3rd distinction is useful.)
> I propose, for clarity, that we refer to this type of relationship as a "vendor" or "service provider" relationship. I think that's consistent with usage in the industry, so will be better understood.
> 
> On 11/1/11 10:38 AM, Jonathan Mayer wrote:
>> 
>> (ACTION-28, ISSUE-23)
>> 
>> The text below reflects (I think) our consensus in Santa Clara on outsourcing.
>> 
>> If a first-party website outsources functionality to a third-party website, the third party may act as a first party under this standard so long as all of the following conditions are met when responding to a Do Not Track request.
>> 
>> 1) The third-party website takes reasonable technical precautions.
>> 
>> Non-normative: One component of reasonable technical precautions may be using the same-origin policy to segregate information for each first-party customer.
>> 
>> 2) The third-party website makes public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators.
>> 
>> This leaves at least four open sub-issues on outsourcing:
>> 
>> 1) What is the scope of "outsourcing"?  Is the third party just stepping into the first party's shoes?  Or does it have some independent discretion in using data for its own purposes (e.g. for "product improvement" and "aggregate statistics" as Shane and Jules have proposed)?  Here's my language from earlier in the month:
>>> -the third party will not use the data it collects except as directed by the first party
>>> -the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes
>>> -the third party will not share the data it collects except with the first party
>>> -if the first party requests, the third party will promptly delete the data it has collected
>>> -if the first party closes its account, the third party will promptly delete the data it has collected
>> 
>> 2) What are the third party's technical precautions for?  Preventing the collection of cross-site tracking data?  Siloing data per first-party customer?
>> 
>> 3) What are the factors that go into a reasonable technical precaution?  (Note: this depends on what the precaution is for.)  Here's my old language:
>>> -the extent to which the technical precautions prevent the collection of cross-site tracking data
>>> -whether the technical precautions are externally verifiable
>>> -the extent to which the technical precautions impede the third-party website's other functionality
>> 
>> 4) Is there a MUST or SHOULD for reasonable internal controls?  Old language:
>>> 2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data.  Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training.
>>> 
>>> Example:
>>> Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to.
>>> 
>>> Discussion:
>>> Example Analytics has not imposed reasonable internal controls.
>> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Friday, 4 November 2011 19:19:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC