Re: Proposals for Compliance issue clean up

Thanks — as noted in the message I just sent to David, I do think that the situation I describe constitutes consent.  But that is equally true for filling out a web form:  in that case, the user is consenting (by typing in the information and clicking a "submit" button) for the website to receive the information that is typed into the form.  I just don't think that it is helpful for us to distinguish between different forms of consent — particularly since we have not resolved the question of whether we should define consent in the spec or rely on local law.  It seems imprudent to effectively define consent for this limited purpose before we resolve what we're doing with it more broadly.

It may be that where this discussion is netting out is that what we're all referring to as "declared data" is "data that a user consents, through a clear and meaningful interaction, for a party to receive."

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901

From: "Amy Colando (LCA)" <acolando@microsoft.com<mailto:acolando@microsoft.com>>
Date: Monday, November 12, 2012 8:10 AM
To: Rob Sherman <robsherman@fb.com<mailto:robsherman@fb.com>>, "Aleecia M. McDonald" <aleecia@aleecia.com<mailto:aleecia@aleecia.com>>, "public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>) (public-tracking@w3.org<mailto:public-tracking@w3.org>)" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: Proposals for Compliance issue clean up

Rob in your example (authorizing app to share info), wouldn't that authorization already be covered under consent section?

Agree with the rest of your points regarding figuring out how various pieces fit overall into the draft.



Sent from my Windows Phone
________________________________
From: Rob Sherman
Sent: 11/11/2012 7:00 PM
To: Aleecia M. McDonald; public-tracking@w3.org<mailto:public-tracking@w3.org> (public-tracking@w3.org<mailto:public-tracking@w3.org>) (public-tracking@w3.org<mailto:public-tracking@w3.org>)
Subject: Re: Proposals for Compliance issue clean up

Aleecia,

I think it is premature to finalize a definition of "declared data" before
we have consensus on whether and how the concept is relevant.
Particularly, I'm not aware of any existing text in the Editors' Draft
that uses the term "declared data," and it seems that the question whether
a particular proposed definition of that term makes sense depends a lot on
how the term is going to be used.

On the substance of Shane's proposal, though, I'd suggest that it be
modified along the lines of my correspondence with Shane
(http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0310.html) to
make clear that there are situations in which information is "declared
data" even if it is not "directly and expressly supplied by a user to a
party."  As described in the thread, Shane and I agreed that this concept
includes a situation in which the user authorizes sharing of information
but does not "directly and expressly suppl[y]" it.  (For example, we
agreed that if you specifically authorize an app to publish information
about actions you take within the app to your Facebook timeline (or
specifically authorize Facebook to receive that information), that
information would be deemed "declared data" as to Facebook even though it
is not provided "directly" by the user to Facebook.)

(I'm happy to work with Shane to modify his proposal to address this
concern.  Even with those modifications, before we finalize this
definition I think it's important for us to understand how, if at all, it
will fit into the draft.)

Thanks.

Rob



Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901





On 11/9/12 3:04 PM, "Aleecia M. McDonald" <aleecia@aleecia.com<mailto:aleecia@aleecia.com>> wrote:

>Here are places we might have straight-forward decisions. If there are no
>responses within a week (that is, by Friday 16 November,) we will adopt
>the proposals below.
>
>
>For issue-97 (Re-direction, shortened URLs, click analytics -- what kind
>of tracking is this?)  with action-196, we have text with no counter
>proposal. Unless someone volunteers to take an action to write opposing
>text, we will close this with the action-196 text.
>       PROPOSED: We adopt the text from action-196,
>http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html
>
>For issue-60 (Will a recipient know if it itself is a 1st or 3rd party?)
>we had a meeting of the minds
>(http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0129.html)
>but did not close the issue. We have support for 3.5.2 Option 2,
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
>#def-first-third-parties-opt-2, with one of the authors of 3.5.1 Option
>1,
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
>#def-first-third-parties-opt-2 accepting Option 2. There was no sustained
>objection against Option 2 at that time. Let us find out if there is
>remaining disagreement.
>       PROPOSED: We adopt 3.5.2 Option 2,
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
>#def-first-third-parties-opt-2
>
>For action-306, we have a proposed definition with accompanying
>non-normative examples
>       PROPOSED: We adopt the text from action-306 to define declared data, to
>be added to the definitions in the Compliance document,
>http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0296.html
>       PROPOSED: We look for volunteers to take an action to write text
>explaining when and how declared data is relevant (See the note in
>6.1.2.3,
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html
>#first-party-data) to address issue-64
>
>       Aleecia

Received on Wednesday, 14 November 2012 15:40:51 UTC