Re: New Change Proposal for Issue-10: remove party definitions from David Wainberg on 2013-10-08 (public-tracking@w3.org from October 2013)

From: David Wainberg <dwainberg@appnexus.com>
Date: Tue, 8 Oct 2013 17:46:47 -0400
To: Justin Brookman <jbrookman@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <52547D47.6000902@appnexus.com>
Hi Justin,

First, note that I will propose contextual definitions to replace the 
party definitions under 221. The matrix of rules was intended to 
illustrate how thinking contextually greatly simplifies the expression 
of the rules.

I agree the current draft is highly context dependent. In fact, that's 
my point. It's all context dependent, yet it's written in terms of 
parties. The rules apply to context and data, not to parties, especially 
since parties change or data is passed between parties. By defining the 
rules in terms of context, we make the rules much clearer.

And, yes, a number of editorial changes would flow from the change to 
make the draft consistent with the contextual rather than party approach.

Here's an example. The current draft says in section 5.2.2:

/Third parties must provide public transparency of the time periods for 
which data collected for permitted uses are retained. The third party 
may enumerate different retention periods for different permitted uses. 
Data must not be used for a permitted use once the data retention period 
for that permitted use has expired. After there are no remaining 
permitted uses for given data, the data must be deleted or de-identified./

This is a requirement that applies outside of a network interaction. Who 
are the Third Parties to whom this transparency requirement applies? 
What we really mean is that the rule applies for data collected in a 3rd 
party context:

  "/All parties must provide public transparency for the time periods 
for which data collected in a 3rd party context is retained for 
permitted uses. Parties may enumerate * * *. Data that was collected in 
a 3rd party context must not be used for a permitted use once the data 
retention period for that permitted use has expired. * * *"/

-David


On 2013-10-08 5:21 PM, Justin Brookman wrote:
> Hi David,
>
> I'm still struggling to understand what your proposal means, or even 
> how it differs in principle from the current editors' draft.
>
> Under the current compliance standard, the rules for collection and 
> use are already *heavily dependent upon context*:  If you're a third 
> party, you can only collect and use data pursuant to operational 
> permitted uses or user-granted exception.  This remains true even when 
> the third party later engages with the user in a first party context.
>
> For first parties, they can do whatever they want in the first party 
> context except evade the standard (details on how that works still 
> being worked out).  There is an open issue over what first parties who 
> collect data can do in a later third-party context.
>
> So the standard is already heavily context-dependent --- your matrix 
> is currently addressed in the standard.  I read your proposal to just 
> ask for the deletion of first and third party from the compliance 
> spec, which would remove (some of) the contextual language from the 
> current standard without offering replacement text.  Simply deleting 
> the definitions of first and third party without more doesn't make 
> logical sense within the current document; you would need to change 
> the subsequent operational language as well.  And I'm afraid I don't 
> understand how what you're envisioning differs from what the document 
> currently accomplishes.
>
> On Oct 8, 2013, at 5:02 PM, David Wainberg <dwainberg@appnexus.com 
> <mailto:dwainberg@appnexus.com>> wrote:
>
>> Hi All,
>>
>> *Proposal*: eliminate the definitions for first and third party and 
>> instead define the contexts of data collection and use, per ISSUE-221.
>>
>> *Rationale*: Defining contexts of collection and use, rather than 
>> parties, is more precise and clear, and so will avoid confusion and 
>> misinterpretation of the spec. Speaking in terms of context goes 
>> right to the point. Parties are not inherently one or the other. 
>> Company X is a party. Is it a first party or a third party? We don't 
>> know until we see the context in which it is collecting or using data 
>> at any given moment. So let's just talk about the context, then.
>>
>> Or, to put it slightly differently, parties can morph between 1st and 
>> 3rd. They can hold data that was collected in either context and they 
>> can use data in either context. But what matters is that context in 
>> which the data is collected or used. And the DNT signal carries over 
>> with the data, even as the party switches contexts. Therefore 1st or 
>> 3rd-ness is really a property of the data, not of the party. And, it 
>> follows that it's clearer to talk about applying rules to the data 
>> rather than to parties.
>>
>> Thanks for considering this change.
>>
>> -David
>
Received on Tuesday, 8 October 2013 21:47:51 UTC