W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: "cross-site"

From: Aleecia M. McDonald <aleecia@aleecia.com>
Date: Fri, 18 Nov 2011 09:11:00 -0800
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <58AA40EF-1110-4CC9-AB19-BFE4F1427F8C@aleecia.com>
Hi JC,

Most issues will not be fully written while we are reviewing the first party language, but we will have placeholders for our decisions on those topics when we move the first party discussion into the next draft (currently the FPWD). We cannot write the entire compliance/definitions document at once. It makes sense to get consensus decisions on pieces as we progress, even knowing that the discussions around some of the related issues can result in what Matthias calls "earthquakes" -- a subsequent decision that brings us back to revisit a set of earlier decisions. 

So, some mention of it? Yes, issue-73 is already in the FPWD, which is what we will start editing. We will not forget that these issues are out there. And I expect we will start taking them up very soon. 

	Aleecia

On Nov 18, 2011, at 8:03 AM, JC Cannon wrote:

> That sounds fine, but I will like to see some mention of it in the first-party requirements section.
>  
> JC
> Twitter
>  
> From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
> Sent: Friday, November 18, 2011 7:58 AM
> To: JC Cannon; Jonathan Mayer; Ed Felten
> Cc: Mike Zaneis; <public-tracking@w3.org>
> Subject: RE: "cross-site"
>  
> Agreed – but this would be covered under the Agency/Service Provider/Vendor exception – whereby the 3rd party is treated the same as the 1st party – and has no independent rights to use that information outside of general product improvement and “reporting” on their business performance .
>  
> For example, MSFT contracts with VENDORA to fulfill transactions on their behalf.  VENDORA would not be able to leverage the information passed to them from MSFT to build profiles to be sold separately from MSFT’s participation (again – not aware of this type of arrangement in the real-world but this is an exercise in closing loop-holes).  VENDORA would be able to use the information to improve their products generally (improve their fraud detection capabilities) and provide general company performance metrics – for example, VENDORA processed 1.2 Million transactions in the month of MONTH/YEAR.
>  
> From: JC Cannon [mailto:jccannon@microsoft.com] 
> Sent: Friday, November 18, 2011 7:43 AM
> To: Shane Wiley; Jonathan Mayer; Ed Felten
> Cc: Mike Zaneis; <public-tracking@w3.org>
> Subject: RE: "cross-site"
>  
> I would expect an exclusion for first parties sending data to a third party as needed to fulfill a transaction on the part of the first party such as order fulfillment.
>  
> JC
> Twitter
>  
> From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
> Sent: Friday, November 18, 2011 7:32 AM
> To: Jonathan Mayer; Ed Felten
> Cc: Mike Zaneis; <public-tracking@w3.org>
> Subject: RE: "cross-site"
>  
> Jonathan,
>  
> I believe this is very close.
>  
> 2 Possible Issues:
>  
> - 1. Transfer of Data to a Third-Party Website:  As long as “under this standard” can be taken to mean “when the DNT:1 signal is received” – then we’re good.  The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group.
> - 1. Transfer of Data from a First-Party Website:  As long as is “with respect to honoring a user’s DNT:1 signal” then we’re good.  The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group.
>  
> - Shane
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Friday, November 18, 2011 12:42 AM
> To: Ed Felten
> Cc: Mike Zaneis; <public-tracking@w3.org>
> Subject: Re: "cross-site"
>  
> Agreed.  Between the discussion in Santa Clara, this thread, and these threads, I think we're very close to a consensus on first-party obligations.  Some time ago I drafted this text for the compliance document:
>  
> First-Party Requirements:
> This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request.
>  
> Here's what I would now propose:
>  
> First-Party Website Requirements
>  
> 1. Transfer of Data to a Third-Party Website
> A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard.  A first-party website MAY otherwise transfer data to a third-party website.
>  
> 2. Additional Voluntary Measures
> A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request.
>  
> a. Example Voluntary Measures (Non-Normative)
> […]
>  
> ...and then...
>  
> Third-Party Website Requirements
>  
> 1. Transfer of Data from a First-Party Website
> If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself.
>  
> Jonathan
>  
> (tags: ISSUE-17, ISSUE-51)
>  
> On Nov 17, 2011, at 2:37 PM, Ed Felten wrote:
>  
> 
> It seems to me that there might be substantial agreement here.  As I
> understand John, he was positing two reasons for sending a DNT flag to
> first parties: (1) when DNT is enabled, first parties shouldn't
> circumvent the limits on third-party collection by collecting data and
> then sharing it with third parties, and (2) some first parties might
> choose voluntarily to go beyond what the standard requires when they
> see a DNT flag.
> 
> On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net> wrote:
> 
> This is where there is a fundamental split amongst the parties. We had a
> discussion several weeks ago about the first party obligations and I pointed
> out that IAB and my member companies generally support the U.S. FTC position
> that consumers don't expect first parties to be subject to such
> restrictions.  Those positions have not changed.
>  
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org>
> wrote:
>  
> Shane,
> I don't understand why we would say that a 1st party most likely will not be
> subject to the DNT signal.  If we continue to use the 1st party/ 3rd party
> distinction, it will likely (almost certainly) have different and probably
> fewer obligations than a third party. It should still be subject to the
> signal.
> As a user I want the 1st party site to know that I have DNT configured.  As
> a 1st party site operator I want to know a visitor has configured DNT and is
> sending me the signal.  There will be some "musts", ie not sharing data from
> a DNT configured user with 3rd parties, but if I am a responsible site
> operator I may chose to go further in honoring the DNT request.  For
> instance I might chose to not even include the visitor in my analytics. I
> need to know if  DNT is configured and the way this happens is by being
> subject to the DNT signal.
> The obligations are different, but its important that we think of all sites
> being subject to the DNT signal, once it is configured in the browser.
>  
> 73s,
> John
> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>  
> Karl,
>  
> This statement is an attempt to remove the concern that a 1st party, which
> will mostly likely not be subject to the DNT signal, does not have a
> backdoor opportunity to pass user data directly to a 3rd party (aka -
> closing a loop-hole).  3rd parties present on the 1st party's web site
> should honor the DNT signal directly.
>  
> - Shane
>  
> -----Original Message-----
> From: Karl Dubost [mailto:karld@opera.com]
> Sent: Thursday, November 17, 2011 5:40 AM
> To: Shane Wiley
> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark
> Nottingham; <public-tracking@w3.org>
> Subject: Re: "cross-site"
>  
>  
> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>  
> Alter statement to read "First parties must NOT share user specific data
> with 3rd parties for those user who send the DNT signal and have not granted
> a site-specific exception to the 1st party."  This will leave room for
> sharing with Agents/Service Providers/Vendors to the 1st party -- as well as
> sharing aggregate and anonymous data with "others" (general reporting, for
> example).
>  
> I guess you mean
> s/DNT signal/DNT:1 signal"
>  
> Trying to understand what you are saying.
>  
> 1. User sends DNT:1 to a website with domain name www.example.org
> 2. www.example.org collects data about the user
>   (IP address and categories of pages the user visits)
> 3. Company Acme Hosting Inc. (a 3rd party) has access to these
>   data NOT through the Web but through an access to the logs file.
>  
>  
> What is happening?
>  
>  
> --
> Karl Dubost - http://dev.opera.com/
> Developer Relations & Tools, Opera Software
>  
>  
>  
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
>  
>  
> 
Received on Friday, 18 November 2011 17:11:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC