W3C home > Mailing lists > Public > public-tracking@w3.org > January 2013

Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)]

From: David Singer <singer@apple.com>
Date: Tue, 08 Jan 2013 17:06:58 -0800
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <00977FD6-BEDF-4E3D-8D1A-C409E299154F@apple.com>
To: "Roy T. Fielding" <fielding@gbiv.com>

On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <fielding@gbiv.com> wrote:

> The issue is joint data controllers.  It is impossible to
> express that in the protocol currently, and it cannot be
> discovered otherwise.
> 
> ….Roy

OK, I am looking at definitions on the web, for example "http://www.out-law.com/en/articles/2012/april/level-of-expertise-key-factor-in-determining-whether-processor-is-also-controller-of-personal-data-ico-says/".  In what circumstances can this arise for us?  I am not seeing it.

If the user 'intends to visit' example.com, and example.com has a service provider provider.com under a service agreement, then the SP identifies either as part of example.com, or as an SP to example.com (we covered this already).  Provider.com is not a joint DC under these terms because they have no independent rights to the data; they are a data processor, not joint DC.

The guidance says "Where the service provider is either given considerable flexibility or independence in determining how to satisfy the client’s broad instructions or is providing the service in accordance with externally-imposed professional or ethical standards, he will be acting as a joint data controller, rather than a data processor, in relation to the service data,"

Now, how can this occur in our context?  Does provider.com have independent rights to collect data, or not?  If so, they are an independent first or third party; if not, they are a data processor, no?

> 
> On Jan 8, 2013, at 4:20 PM, David Singer wrote:
> 
>> I am somewhat puzzled by what the issue is.
>> 
>> If there are sites that build in content from multiple parties, and the user expected them to be first parties -- or they are anyway -- they say so in their response header and/or well-known resource.
>> 
>> If there are sites that build content from multiple servers that are all the same party, they can say that in the well-known resource (same-party).
>> 
>> What doesn't work, or isn't clear, already?
>> 
>> 
>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue Tracker <sysbot+tracker@w3.org> wrote:
>> 
>>> tracking-ISSUE-190: Sites with multiple first parties  [Tracking Preference Expression (DNT)]
>>> 
>>> http://www.w3.org/2011/tracking-protection/track/issues/190
>>> 
>>> Raised by: Matthias Schunter
>>> On product: Tracking Preference Expression (DNT)
>>> 
>>> Address how multiple first parties can be expressed in tracking status representation
>>> 
>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 9 January 2013 01:08:27 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:40 UTC