W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Considering browser vendor as a third party

From: Rob van Eijk <rob@blaeu.com>
Date: Sun, 10 Jun 2012 19:20:04 +0200
To: <public-tracking@w3.org>
Message-ID: <8a250e4b702e3ca5f60cad28210be46b@xs4all.nl>
>> In this sense, the browser's
> servers are more like ISPs --- they functionally have to receive the
> information to operate, but they're also not the end party with which
> the user is trying to communicate, and a user with DNT on (or
> otherwise!) might not want and expect the company to building 
> profiles
> and/or retaining information about their browsing habits.

If the browser calls home (e.g. mozilla crash reporting), or for 
example speeds up the web experience by caching in the cloud (e.g. opera 
turbo), this is all processing for which the browser manufacturer is 
responsible. Because the purpose and means of these informations flows 
are determined by the browser manufacturer, he is a Controller in the 
EU.

Similar is a Browser manufacturer is a Controller when he builds 
profiles and/or retains information about browsing habits of users when 
information flows hit his browser's servers.

Another interesting use case is a browser with a default search engine, 
that calls home ones launched by a user. Because the search module is 
part of the default settings of the browser, I consider both the browser 
and the search engine as Joint Controllers in the EU for these 
information flows. The value proposition of bundling the browser and the 
default search box is something that should be clear to the user before 
installation. The user must be able to make a free choice, after having 
been provided with clear information about the purpose of the data 
processing prior to calling home.

The same analysis applies to other browser add-ons that call home. 
These will be held accountable as Joint Controllers as well. That is why 
we see prior and explicit opt-in for e.g. panel data of Pivacy Choice or 
Evidon.

Having said that, I thought of the question how to pull this in DNT. 
The route to deal with the phenonena as first/third parties may not 
work. Therefor I propose an alternative route: Use normative text in the 
compliance document in a section on other parties.

<TEXT PROPOSAL>
Non normative text: There may be other parties besides first and third 
parties, e.g. a party not being a first or a third party is a party, in 
a specific network interaction, that makes the interaction possible. A 
browser manufacturer can have multiple roles in the modern web 
ecosystem. Therefor it is important to distinguish the responabilities 
that come with the different roles of browser manufacturers. A browser 
manufacturer can be a first party, eg when a user visits the homepage of 
the browser. A browser manufacturer can be a third party, eg when 
advertising with a get-my-browser button on various websites on the web. 
A browser manufacturer can also be an important intermediairy making 
network interaction possible between a user and first/third parties.

Normative text: Parties that make a specific network interaction 
possible between first and third parties MUST not collect, use, retain 
and share data beyond that what is strictly necessary for the network 
interaction and explicitly requested by the user.
</TEXT PROPOSAL>

Rob

PS: If there is any behavior of browser modules / add-ons that you 
think must be opt-in / are not transparent / lack control, let me know.


Justin Brookman schreef op 2012-06-10 17:32:
> We should also consider what to do about cloud-based browsers ---
> browsers that route web requests through the browser company's own
> servers in order to render pages more quickly and efficiently (Amazon
> Fire, RIM, Opera I think all do this). In this sense, the browser's
> servers are more like ISPs --- they functionally have to receive the
> information to operate, but they're also not the end party with which
> the user is trying to communicate, and a user with DNT on (or
> otherwise!) might not want and expect the company to building 
> profiles
> and/or retaining information about their browsing habits. In these
> examples, I would consider the browser company's servers to be
> third-party servers, but they may collect, use, and retain the
> information per the permitted uses (which do not squarely address 
> this
> scenario) or the two-week grace period. Not sure we need to expand 
> the
> permitted uses, since any retention beyond two weeks should really
> fall into one of the existing buckets.
>
>> -------------------------
>> FROM: Vincent Toubiana [mailto:v.toubiana@free.fr]
>> TO: Shane Wiley [mailto:wileys@yahoo-inc.com]
>> CC: Rigo Wenning [mailto:rigo@w3.org], public-tracking@w3.org
>> [mailto:public-tracking@w3.org], David Singer
>> [mailto:singer@apple.com], Tom Lowenthal [mailto:tom@mozilla.com],
>> TOUBIANA, VINCENT (VINCENT)
>> [mailto:Vincent.Toubiana@alcatel-lucent.com]
>> SENT: Sun, 10 Jun 2012 09:52:40 -0400
>> SUBJECT: Re: Considering browser vendor as a third party
>>
>> Shane,
>>
>> I believe Justin explanation on this point makes sens, we're not
>> interacting *with* the browser, we're interacting with a 1st party
>> website *through* the browser. Hence this question might not be out
>> of
>> scope.
>>
>> Vincent
>> > I agree the question is a valid one. But as the group has already
>> discussed "meaningful interaction" as a condition to move a widget
>> from a 3rd party context to a 1st party context, why wouldn't that
>> apply in this case? If you agree, then web browsers would be
>> considered 1st parties and are largely out of scope for the TPWG
>> specification.
>> >
>> > - Shane
>> >
>> > -----Original Message-----
>> > From: Rigo Wenning [mailto:rigo@w3.org [1]]
>> > Sent: Friday, June 08, 2012 12:52 PM
>> > To: public-tracking@w3.org [2]
>> > Cc: David Singer; Tom Lowenthal; TOUBIANA, VINCENT (VINCENT)
>> > Subject: Re: Considering browser vendor as a third party
>> >
>> > On Thursday 07 June 2012 14:44:37 David Singer wrote:
>> >> I don't think that's the question. What is the status of the
>> >> browser *vendor*'s online site?
>> > Vincent raised an important question: What happens if the browser
>> > phones home. I hear all saying this is out of scope and will be
>> > determined by the applicable jurisdiction. Fine. But it was very
>> > important to raise that question IMHO.
>> >
>> > Rigo
>> >
>> >
>
>
> Links:
> ------
> [1] mailto:rigo@w3.org
> [2] mailto:public-tracking@w3.org
Received on Sunday, 10 June 2012 17:20:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC