Re: First-Party sets and the potential application of the JournalList trust.txt specification

Don,

Thanks for the question. To this point, we haven’t been anymore explicit about the relationships described in the trust.txt file than the following language on page 6 of the specification:

"While these roles are broadly described, there is an implied trust relationship between organizations that fall into these respective roles. This trust relationship is typically based on a legal agreement executed by the respective parties (for example, a membership agreement or a purchase agreement).”

As you point out, the GDPR language you reference is specific to control over the use of personal data collected by the site and the control JournalList is interested in goes beyond this to include the content that is published on the controlled sites. 

Perhaps there is a legal definition (or acceptable legal language) to address the type of control that is relevant to both First-Party Sets and JournalList. It strikes me that control in this sense is organizational control either through ownership or equivalent influence over the policies and practices of the controlled entity.

We are always interested in improving the JournalList trust.txt specification and open to input to improve it. A better definition of control certainly makes sense.

Regards,

Ralph
--
Ralph W. Brown
Founder
Brown Wolf Consulting LLC
1355 S Foothills Hwy
Boulder, CO 80305
m: +1-303-517-6711
e: ralph@brownwolfconsulting.com
w: www.brownwolfconsulting.com



> On Jan 10, 2022, at 12:28 PM, Don Marti <dmarti@cafemedia.com> wrote:
> 
> Hi Ralph,
> 
> This could be very helpful. I do have a question about the "control" and "controlledBy" fields, along with the definition of "control".
> 
> Right now there is still an open topic of discussion about how First-Party Sets will define common control for members of a set.
> 
> There is a workable definition of "controller" in GDPR: "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." FPS is intended to be international, but this definition is the best one I have found so far.
> 
> (For purposes of trust in journalism, data controller would probably be necessary but not sufficient--the definition of control would have to include content-related control.)
> 
> Would you consider making the definition of "control" more specific, to include the GDPR language or similar on data stewardship?
> 
> Best,
> Don
> 
> 
> On Mon, Jan 10, 2022 at 10:55 AM Ralph Brown <ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com>> wrote:
> Fellow Privacy Community Group members,
> 
> Scott Yates (Executive Director, JournalList.net <http://journallist.net/>) and I shared this proposal with Kaustubha Govind last month and he recommended that we share it with the group.
> 
> The work on First-Party Sets recently came to our attention which caused us to join the Privacy Community Group. We think it might be interesting to have a conversation about what we do at JournalList.net <http://journallist.net/>, which is publish the trust.txt specification document (attached). 
> 
> In short, it's a simple yet powerful way to expose relationship among websites (spec here <https://journallist.net/reference-document-for-trust-txt-specifications>), including the relationships of  “control” and “controlledby”.
> 
> The original concept was to make the relationship among news organizations (publishers) and press associations explicitly readable by web browsers, web crawlers, programmatic ad buyers, researchers, etc. It is beginning to gain adoption among a number of press organizations, including the Associated Press and Digital Content Next.
> 
> These symmetric relationships “control/controlledby”, (and others) are beneficial as they can expose entities that attempt to overstate their “control” or “membership” status. If the reciprocal relationship is not expressed, one has to question the assertion of this relationship. For example, if an entity attempts to overstate their “control” by including websites over which they do not have control, a missing “controlledby” relationship would expose this.
> 
> In other words, if ap.org/trust.txt <http://ap.org/trust.txt> expressed that it controls https://apnews.com/trust.txt <https://apnews.com/trust.txt>, that would be a quick and seamless way for a browser to ingest a first-party relationship. If scammysite.xyz <http://scammysite.xyz/> expressed that it had a first-party relationship with ap.org <http://ap.org/>, that would be easily disproved by looking at ap.org/trust.txt <http://ap.org/trust.txt>.
> 
> By allowing entities to self publish their trust.txt file it avoids the centralized submission/validation process, while other mechanisms can be used post-hoc to validate/police the self published trust.txt files.
> 
> We welcome a discussion among the group on this proposal.
> 
> Regards,
> 
> Scott Yates & Ralph Brown
> --
> Ralph W. Brown
> Founder
> Brown Wolf Consulting LLC
> 1355 S Foothills Hwy
> Boulder, CO 80305
> m: +1-303-517-6711
> e: ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com>
> w: www.brownwolfconsulting.com <http://www.brownwolfconsulting.com/>
> 
> <Brown Wolf Consulting Logo Trandemark Wide.jpg>
>