W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Meeting Notes from the

From: Vinay Goel <vigoel@adobe.com>
Date: Thu, 21 Jun 2012 12:16:11 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
CC: Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <CC08C0F1.E3DA%vigoel@adobe.com>
Very raw notes…

First Party

-       Not too much debate on first parties

-       One area without a resolution is appending 3rd party (offline) data

o   Most don’t think its within the scope of tracking

o   Maybe its not a good fit within DNT

o   May be a privacy concern, but not a DNT issue

o   DNT is ‘stateless’ technology discussing a specific transaction, this is beyond that

o   Possible for any party to add additional rules based on jurisdiction; but DNT is the baseline rule

-       Frank’s goal: not to restrict the usage of a DNT signal for a first party

o   This is our goal, but it’s a may not a must

o   Wewant to codify here the common ground

o   First partys can choose to do more if they receive DNT:1

-       First party cannot share (send) data with a 3rd party if that other party is not a first party or service provider

-       Sending

o   Cannot ‘send’

-       First Party responsibility 1:

o   If you receive DNT:1, you cannot facilitate sharing with a 3rd party for data profiling

-       Can first parties enforce compliance for third parties on its site?

o   There are other ways to protect data on its site

o   Its impractical to ask first parties to police its 3rd parties

o   DNT is a signal to me as a user to interact with that site

o   Can’t feasibly bar first party to tell data to third party

-       What are the obligations of a first party if they say they’re DNT complaint?

o   The only obligation it has is to not facilitate third party tracking

o   The first party has a really hard time telling third parties who’s on its site

o   First party has no restrictions on receiving/using data for its own purpose

o   Material difference between going to BlueKai to get data about them and getting data from a service provider like Acxiom

o   First party gives data to 3rd party data vendor; cannot be used for any purpose other than getting data back from the vendor

o   If the third party isn’t on the site, there is no way for it to ‘come back to the user’ with response headers

o   Imagine I’m a website.  I know their IP address because I get that.  I can use a service to see if this IP address has been involved in any attacks.  This service responds yes or no.  Is that allowed?

§  It should be, but may need to be parked because it’s a use case we haven’t thought through yet

o   FB: We should not prohibit first parties from sending the data to a 3rd party

§  It doesn’t care about how the user sends the data on to a 3rd party

-       We NEED TO TAKE CARE OF PRODUCT FULFILLMENT USE CASE

-       Would first parties store DNT flag within log files?

o   Tat would require some significant infrastructure changes

o   JC:  This should be in the standard log files

o   FB: The fact that I’m in seattle and sent a bunch of messages isn’t assocatiated with the DNT header

o   JC: When I’m processing that one server log and see the DNT header, then I can record it

o   FB: Because you’re a first party, there should be no prohibition on sharing

o   Susan: What I’ve understood the requirement to be is that the first party cannot share the data with third parties to enhance/augment profiles

o   Privacy advocates have said that its not enough to get consent by agreeing to Terms of Use/Privacy Policy

-       Is ‘share’ button a consent mechanism?

o   But, does that include whether I’m in seattle when I share it?

-       DNT shouldn’t affect the first party’s broader ability to do business

-       Maybe suggest to the group that being in a logged-in state may impact the application to DNT

-       Question is: To what extent is it practical to restrict a first party from sharing data with third parties (who are not a service provider) when the first party receives a DNT:1 signal?

o   What they are trying to get at is trying to create a work-around from having the third party on the site directly

-       A first party cannot subvert DNT by intentionally sending data to a third party that the third party would have received directly itself if it was present on the page itself

o   Cannot help a third party bypass the DNT signal

o   Someone is going to have to audit against DNT whether that will have force

§  Priority should be simple and clear that users, sites, auditors can check it

§  Point of non-consensus, but am moving on

-       DNT is flagged within the logs, and when the application is processing the logs, you look to see whether the use is affected by DNT.  If so, honor it; if not, don’t honor it.

o   In private discussions, regulators get that

o   Don’t include that data within the permitted uses

Permitted Uses

-       Add product fulfillment

-       Fraud  - needs to be broad

-       Security  - needs to be broad

-       Transactional   - needs to be broad

-       Contextual serving

-       Aggregate Reporting

-       Analytics

o   Some analytics – needs further clarification

-       De-identified

-       Legally required purposes

-       Product debugging and improvement

-       Service monitoring

-       Hard part is ‘retention’

-       Can’t limit all retention to 2 weeks

-       Perhaps can use some technical and process rules to limit access to the data

-       Whole argument for permitted uses is: you can’t keep the information that long otherwise it will be abused

o   Instead, we should be addressing the abuse

o   Have good standards for re-identification if it is retained

-       People do not believe that we will limit access to use data appropriately

-       Long-tail publishers need longer retention periods because they need it to retain diversity/known audiences.  Cannot do it with 2 weeks of data.  Got to have tools to sell inventory toadvertisers

-       “What’s protected depends a lot on who’s looking”

-       Can’t make ‘absolute’ standards.  Need to do it with reasonable protections and limitations

-       In any of these, there needs to be a path for innovation.

-       Market Research

-       Define terms for which it means to put data in ‘databases’.  There can be separate records for each permitted use

-       “Access controls and technical mechanisms”

-       Frequency capping (should be a broader category for which that falls) – maybe campaign management

o   Needs to be spelled out further

-       Making sure that two competing advertisers ads aren’t side by side/on the same page

o   Can this be contextual advertising?

o   Content delivery management

§  Conflicting advertisers

§  Advertisers don’t want to be on certain pages

-       Reading the FTC’s accepted practices


Third Party
            - when you’re a third party, you can’t write to a profile

Service Provider

-       Under contract that prohibits the data for its own purpose except for permitted uses

-       Contract needs to say that the services provided need to act on its behalf and have the same obligations

As part of a relationship with a 3rd party on its site, you ‘ask’ that it be compliant with the specs

-       From the EU perspective, it’s the websites responsibility at the end, not the responsibility of the ad network

-       To the extent that you have a relationship with the third party, ask that the third party be compliant



From: "Roy T. Fielding" <fielding@gbiv.com<mailto:fielding@gbiv.com>>
To: Vinay Goel <vigoel@adobe.com<mailto:vigoel@adobe.com>>
Cc: Tracking Protection Working Group <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Meeting Notes from the

Text only, please.

....Roy

On Jun 21, 2012, at 11:22 AM, Vinay Goel wrote:

Here are our group's meeting notes.

-Vinay

________________________________
Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
<Team Meeting Notes.docx>
Received on Thursday, 21 June 2012 19:16:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:31 UTC