W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

RE: Transitive third party exceptions

From: Kevin Smith <kevsmith@adobe.com>
Date: Tue, 29 May 2012 17:02:59 -0700
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: "ifette@google.com" <ifette@google.com>
Message-ID: <6E120BECD1FFF142BC26B61F4D994CF309994C04AF@nambx07.corp.adobe.com>
>The transitive scope of permission is a concession to the practical implementation of ad networks. So I'm helping Shane to keep his models and procedures and only adjust slightly.

I don't think this really answers my question.  I know it was to try to help ad networks function, but I don't really think it helps much.  So again, does this actually help in the EU?  If not, then I recommend we dismiss this subject immediately.

>You have a logic breaking point here. 

>1/ DNT is not applicable as a limitation for 1st parties (only an enabler in the EU context) 

Never claimed it did.  I was simply stating that this moves the trust from the 1st party that I visit intentionally entirely to 3rd party entities that I mostly likely do not even recognize.

>2/ What is the difference between my first party deciding on unbound third parties and me deciding about unbound third parties?

This does not allow you to decide about unbound third parties, it allows you to decide about 1 level of unbound 3rd parties (again, that you likely do not recognize).  Unbound parties are recursive.  Each one can include any 3rd party which is in itself an unbound 3rd party.  Therefore, all this does is move the trust level down the chain 1 spot.  I could certainly see instances that this may be somewhat helpful (for instance -when the 3rd party included does not include other 3rd parties), but it does not seem to facilitate the ad chain at all.

> You would have a point if the transitive permission would be an open permission to do whatever with the data received. Consider first that we are talking about sending DNT;0 to a third party. Giving permission. In the US context that makes no difference at all. Once you give permission to one third party (A), this third party can give the data and everything to B, C, and D and Z. In Europe, the difference is positive as it clears that ad auctions will work once the first entity in a chain has received DNT;0. But in Europe it is not unbound as the transitive permission does not remove the purpose limitation. So whether you do Analytics or Ads, you remain bound by that.

This is very interesting.  I don’t think I understand exactly what you mean.  Are you suggesting that 3rd parties B, C ... would not get DNT:0?  What purpose limitation would entity C be under?  And how would it know the difference?  If entity C has limitations and cannot function as it normally would, then this inherently limits entities B and A because, although they may think they can function fully, they cannot.  Here is a ridiculously simplified example - let's say that entity A has an exception and is therefore allowed to target a user based on gender.  However, entity A does not actually serve the ads, so it includes entity B and asks entity B to serve up an ad that will match the user's gender.  If entity B is not allowed to know the gender, or reference its visitor profile for the user etc, then it cannot serve an ad based on gender, so it either returns failure, or a non-targeted ad.  In this case, entity A was not able to fulfill its function because it was dependent on entity B being able to fulfill its function.

-kevin

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Tuesday, May 29, 2012 10:33 AM
To: public-tracking@w3.org
Cc: Kevin Smith; ifette@google.com
Subject: Re: Transitive third party exceptions

Kevin, 

sorry that this remained unanswered. I was far too busy to keep being connected. 

On Wednesday 16 May 2012 09:53:10 Kevin Smith wrote:
> Is this entirely to meet European requirements, because it sounds like 
> there is still some debate among those well versed in European law as 
> to whether this will help.

The transitive scope of permission is a concession to the practical implementation of ad networks. So I'm helping Shane to keep his models and procedures and only adjust slightly.

> From a logical standpoint, I still maintain this makes no sense at 
> all.  Why would we assume the user would trust the 3rd party who they 
> don’t know, more than the 1st party who they do?

You have a logic breaking point here. 

1/ DNT is not applicable as a limitation for 1st parties (only an enabler in the EU context) 

2/ What is the difference between my first party deciding on unbound third parties and me deciding about unbound third parties?

> If
> transitive trust is adequate for a 3rd party, it surely should be for 
> the 1st party.

Within certain boundaries this is already true. As a first party you can declare some sites belong to the same entity. 

> I still believe this has almost all of the negatives of 
> explicit/explicit (cost and complexity), without many of the benefits 
> (aside from the fact that this is at least more technically feasible)

You would have a point if the transitive permission would be an open permission to do whatever with the data received. Consider first that we are talking about sending DNT;0 to a third party. Giving permission. In the US context that makes no difference at all. Once you give permission to one third party (A), this third party can give the data and everything to B, C, and D and Z. In Europe, the difference is positive as it clears that ad auctions will work once the first entity in a chain has received DNT;0. But in Europe it is not unbound as the transitive permission does not remove the purpose limitation. So whether you do Analytics or Ads, you remain bound by that. 

So do I hear you argue that we need more limitations for the US market and if we allow for transitive permissions, have some kind of implicit purpose limitation to it? This is easily feasible IMHO. 

Best, 

Rigo
Received on Wednesday, 30 May 2012 00:03:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC