Re: PING - areas where contributions are needed

Dear all,

First of all, this is my first post here so greetings fellow PINGers! I
hope to contribute to PING's works here and there.

I would like to address the recent contribution request (
https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0138.html).

I wanted to highlight some, perhaps minuscule (perhaps not) things in
relation to the Tracking Compliance [3] (
http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/#transitive-exceptions)
that might deserve a bit of scrutiny.

First of all, this is a good job. Let's hope deployment & actual enforcement
will follow later on.

Now my comments are directed solely at point 4 of this draft, the consent.
Specifically, 4.1 - about transitive consent for data sharing.
It is naturally a usability feature that has practical means and needs,
i.e. to transfer the consent to the service providers. I will follow the
draft text and
use here the example of ads providers as well.

First issue is whether it won't allow the, well, let's poetically call it
"consent laundering"?

Scenario:

1. User has no previous knowledge of the existence of parties, say, A1,
...., A100.
2. User grants consent (for sharing data) to B.
3. A1, ..., A100 do not wish to ask for consent, for whatever reason. So
they use
the service of B to transitively acquire it.

So perhaps an example party, say A37, could even inject scripts of B, who
then would inject scripts of A37...?
Since B can transfer consent, consent is granted to A37. In a manner
similar to cookie matching (e.g. using HTTP redirects, as in
https://developers.google.com/ad-exchange/rtb/cookie-guide).
I acknowledge the latter MUST clause, where I do not see any suggestions of
enforcement.

So this is a privacy case with possibly non-obvious implications where
consent is being transferred to other party, as a matter of service.


Another comment may touch the "inhibiting adoption" issue. Whether enough
flexibility in terms of consent is provided - provided there is a justified
need, that is.
In this case let's discuss a situation when, say, the user visits
site A, a consent (for sharing data) is given to other party B (level 1),
and then B (later on) transitively
provides this to other parties (level 2; C, D, ...), of which the user may
not be aware of.
So the thing here is: to how many parties the consent is being granted in
this mode? Also, how many levels of consent should be allowed? Should there
be any concept of levels at all?

But further, let's assume a site A is including scripts of B (with consent
for sharing data), who is an Ad Exchange, running a Real-Time Bidding
platform (https://developers.google.com/ad-exchange/rtb/). Then let's
assume this platform has 100 bidders - all of them receive data about the
user during the RTB protocol. Furthermore, let's say a bidder C wins and is
able to deliver an ad. Does C, who may possibly maintain its own tracking
infrastructure posses the consent due to the transitivity?

Even more specifically, what happens if C is also an Ad Exchange and runs
another round, and has also a number of bidders and in the end some other
party D wins and delivers the end-content. So the original consent might
possibly be granted to B, going through C and reaching D?

In this case, I think 4.1 is written quite well in terms of generality, but
are we sure about the levels of transitivity?

Now to sum it up, consent is obviously required. This is a core principle
of privacy. But should there be any limits to transitivity? Or perhaps the
points I highlighted might be addressed somehow?

Best regards
Lukasz Olejnik

Received on Wednesday, 30 September 2015 13:29:30 UTC