Re: First-Party sets and the potential application of the JournalList trust.txt specification

Hi Ralph,

Yes, it seems like in the case of JournalList there are two kinds of
control to be concerned about

 * Controllership of processing of personal data

 * Editorial control of content

So far we have been trying to avoid getting into the weeds of corporate
ownership issues when defining common controller. Real-world web and media
companies have complicated structures that would be hard for a browser
vendor or enforcement entity to analyze, and it's way too easy to set up
corporate ownership arrangements where two sites have common ownership on
paper but are managed independently for purposes of user data sharing and
editorial decisions (
https://github.com/privacycg/first-party-sets/issues/49 )

Best,
Don

On Mon, Jan 10, 2022 at 1:06 PM Ralph Brown <ralph@brownwolfconsulting.com>
wrote:

> Don,
>
> Thanks for the question. To this point, we haven’t been anymore explicit
> about the relationships described in the trust.txt file than the following
> language on page 6 of the specification:
>
> "While these roles are broadly described, there is an implied trust
> relationship between organizations that fall into these respective roles.
> This trust relationship is typically based on a legal agreement executed by
> the respective parties (for example, a membership agreement or a purchase
> agreement).”
>
> As you point out, the GDPR language you reference is specific to control
> over the use of personal data collected by the site and the control
> JournalList is interested in goes beyond this to include the content that
> is published on the controlled sites.
>
> Perhaps there is a legal definition (or acceptable legal language) to
> address the type of control that is relevant to both First-Party Sets and
> JournalList. It strikes me that control in this sense is organizational
> control either through ownership or equivalent influence over the policies
> and practices of the controlled entity.
>
> We are always interested in improving the JournalList trust.txt
> specification and open to input to improve it. A better definition of
> control certainly makes sense.
>
> Regards,
>
> Ralph
> --
> Ralph W. Brown
> Founder
> Brown Wolf Consulting LLC
> 1355 S Foothills Hwy
> Boulder, CO 80305
> m: +1-303-517-6711
> e: ralph@brownwolfconsulting.com
> w: www.brownwolfconsulting.com
>
>
> On Jan 10, 2022, at 12:28 PM, Don Marti <dmarti@cafemedia.com> wrote:
>
> Hi Ralph,
>
> This could be very helpful. I do have a question about the "control" and
> "controlledBy" fields, along with the definition of "control".
>
> Right now there is still an open topic of discussion about how First-Party
> Sets will define common control for members of a set.
>
> There is a workable definition of "controller" in GDPR: "natural or legal
> person, public authority, agency or other body which, alone or jointly with
> others, determines the purposes and means of the processing of personal
> data." FPS is intended to be international, but this definition is the best
> one I have found so far.
>
> (For purposes of trust in journalism, data controller would probably be
> necessary but not sufficient--the definition of control would have to
> include content-related control.)
>
> Would you consider making the definition of "control" more specific, to
> include the GDPR language or similar on data stewardship?
>
> Best,
> Don
>
>
> On Mon, Jan 10, 2022 at 10:55 AM Ralph Brown <
> ralph@brownwolfconsulting.com> wrote:
>
>> Fellow Privacy Community Group members,
>>
>> Scott Yates (Executive Director, JournalList.net
>> <http://journallist.net/>) and I shared this proposal with Kaustubha
>> Govind last month and he recommended that we share it with the group.
>>
>> The work on First-Party Sets recently came to our attention which caused
>> us to join the Privacy Community Group. We think it might be interesting to
>> have a conversation about what we do at JournalList.net
>> <http://journallist.net/>, which is publish the trust.txt specification
>> document (attached).
>>
>> In short, it's a simple yet powerful way to expose relationship among
>> websites (spec here
>> <https://journallist.net/reference-document-for-trust-txt-specifications>),
>> including the relationships of  “control” and “controlledby”.
>>
>> The original concept was to make the relationship among news
>> organizations (publishers) and press associations explicitly readable by
>> web browsers, web crawlers, programmatic ad buyers, researchers, etc. It is
>> beginning to gain adoption among a number of press organizations, including
>> the Associated Press and Digital Content Next.
>>
>> These symmetric relationships “control/controlledby”, (and others) are
>> beneficial as they can expose entities that attempt to overstate their
>> “control” or “membership” status. If the reciprocal relationship is not
>> expressed, one has to question the assertion of this relationship. For
>> example, if an entity attempts to overstate their “control” by including
>> websites over which they do not have control, a missing “controlledby”
>> relationship would expose this.
>>
>> In other words, if ap.org/trust.txt expressed that it controls
>> https://apnews.com/trust.txt, that would be a quick and seamless way for
>> a browser to ingest a first-party relationship. If scammysite.xyz expressed
>> that it had a first-party relationship with ap.org, that would be easily
>> disproved by looking at ap.org/trust.txt.
>>
>> By allowing entities to self publish their trust.txt file it avoids the
>> centralized submission/validation process, while other mechanisms can be
>> used post-hoc to validate/police the self published trust.txt files.
>>
>> We welcome a discussion among the group on this proposal.
>>
>> Regards,
>>
>> Scott Yates & Ralph Brown
>> --
>> Ralph W. Brown
>> Founder
>> Brown Wolf Consulting LLC
>> 1355 S Foothills Hwy
>> Boulder, CO 80305
>> m: +1-303-517-6711
>> e: ralph@brownwolfconsulting.com
>> w: www.brownwolfconsulting.com
>>
>> <Brown Wolf Consulting Logo Trandemark Wide.jpg>
>>
>>
>