- From: Ralph Brown <ralph@brownwolfconsulting.com>
- Date: Mon, 10 Jan 2022 15:11:56 -0700
- To: Don Marti <dmarti@cafemedia.com>
- Cc: public-privacycg@w3.org, Scott Yates <scott@journallist.net>
- Message-Id: <2DE968F1-DA9D-4EE9-9E1A-05777BB461C1@brownwolfconsulting.com>
Don, At JournalList we have been more concerned with the second and less the first, while it appears to me that the the Privacy Community Group is more concerned with the first and less the second. Both of course are important. I agree with the concern about getting into the weeds of corporate ownership. I guess the question then is, what is sufficient representation to confirm the controlling/controlled relationship implied by First-Party Sets? Is this something that the group has already resolved? Regards, Ralph -- Ralph W. Brown Founder Brown Wolf Consulting LLC 1355 S Foothills Hwy Boulder, CO 80305 m: +1-303-517-6711 e: ralph@brownwolfconsulting.com w: www.brownwolfconsulting.com > On Jan 10, 2022, at 3:04 PM, Don Marti <dmarti@cafemedia.com> wrote: > > Hi Ralph, > > Yes, it seems like in the case of JournalList there are two kinds of control to be concerned about > > * Controllership of processing of personal data > > * Editorial control of content > > So far we have been trying to avoid getting into the weeds of corporate ownership issues when defining common controller. Real-world web and media companies have complicated structures that would be hard for a browser vendor or enforcement entity to analyze, and it's way too easy to set up corporate ownership arrangements where two sites have common ownership on paper but are managed independently for purposes of user data sharing and editorial decisions ( https://github.com/privacycg/first-party-sets/issues/49 <https://github.com/privacycg/first-party-sets/issues/49> ) > > Best, > Don > > On Mon, Jan 10, 2022 at 1:06 PM Ralph Brown <ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com>> wrote: > Don, > > Thanks for the question. To this point, we haven’t been anymore explicit about the relationships described in the trust.txt file than the following language on page 6 of the specification: > > "While these roles are broadly described, there is an implied trust relationship between organizations that fall into these respective roles. This trust relationship is typically based on a legal agreement executed by the respective parties (for example, a membership agreement or a purchase agreement).” > > As you point out, the GDPR language you reference is specific to control over the use of personal data collected by the site and the control JournalList is interested in goes beyond this to include the content that is published on the controlled sites. > > Perhaps there is a legal definition (or acceptable legal language) to address the type of control that is relevant to both First-Party Sets and JournalList. It strikes me that control in this sense is organizational control either through ownership or equivalent influence over the policies and practices of the controlled entity. > > We are always interested in improving the JournalList trust.txt specification and open to input to improve it. A better definition of control certainly makes sense. > > Regards, > > Ralph > -- > Ralph W. Brown > Founder > Brown Wolf Consulting LLC > 1355 S Foothills Hwy > Boulder, CO 80305 > m: +1-303-517-6711 > e: ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com> > w: www.brownwolfconsulting.com <http://www.brownwolfconsulting.com/> > > <Brown Wolf Consulting Logo Trandemark Wide.jpg> > >> On Jan 10, 2022, at 12:28 PM, Don Marti <dmarti@cafemedia.com <mailto:dmarti@cafemedia.com>> wrote: >> >> Hi Ralph, >> >> This could be very helpful. I do have a question about the "control" and "controlledBy" fields, along with the definition of "control". >> >> Right now there is still an open topic of discussion about how First-Party Sets will define common control for members of a set. >> >> There is a workable definition of "controller" in GDPR: "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." FPS is intended to be international, but this definition is the best one I have found so far. >> >> (For purposes of trust in journalism, data controller would probably be necessary but not sufficient--the definition of control would have to include content-related control.) >> >> Would you consider making the definition of "control" more specific, to include the GDPR language or similar on data stewardship? >> >> Best, >> Don >> >> >> On Mon, Jan 10, 2022 at 10:55 AM Ralph Brown <ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com>> wrote: >> Fellow Privacy Community Group members, >> >> Scott Yates (Executive Director, JournalList.net <http://journallist.net/>) and I shared this proposal with Kaustubha Govind last month and he recommended that we share it with the group. >> >> The work on First-Party Sets recently came to our attention which caused us to join the Privacy Community Group. We think it might be interesting to have a conversation about what we do at JournalList.net <http://journallist.net/>, which is publish the trust.txt specification document (attached). >> >> In short, it's a simple yet powerful way to expose relationship among websites (spec here <https://journallist.net/reference-document-for-trust-txt-specifications>), including the relationships of “control” and “controlledby”. >> >> The original concept was to make the relationship among news organizations (publishers) and press associations explicitly readable by web browsers, web crawlers, programmatic ad buyers, researchers, etc. It is beginning to gain adoption among a number of press organizations, including the Associated Press and Digital Content Next. >> >> These symmetric relationships “control/controlledby”, (and others) are beneficial as they can expose entities that attempt to overstate their “control” or “membership” status. If the reciprocal relationship is not expressed, one has to question the assertion of this relationship. For example, if an entity attempts to overstate their “control” by including websites over which they do not have control, a missing “controlledby” relationship would expose this. >> >> In other words, if ap.org/trust.txt <http://ap.org/trust.txt> expressed that it controls https://apnews.com/trust.txt <https://apnews.com/trust.txt>, that would be a quick and seamless way for a browser to ingest a first-party relationship. If scammysite.xyz <http://scammysite.xyz/> expressed that it had a first-party relationship with ap.org <http://ap.org/>, that would be easily disproved by looking at ap.org/trust.txt <http://ap.org/trust.txt>. >> >> By allowing entities to self publish their trust.txt file it avoids the centralized submission/validation process, while other mechanisms can be used post-hoc to validate/police the self published trust.txt files. >> >> We welcome a discussion among the group on this proposal. >> >> Regards, >> >> Scott Yates & Ralph Brown >> -- >> Ralph W. Brown >> Founder >> Brown Wolf Consulting LLC >> 1355 S Foothills Hwy >> Boulder, CO 80305 >> m: +1-303-517-6711 >> e: ralph@brownwolfconsulting.com <mailto:ralph@brownwolfconsulting.com> >> w: www.brownwolfconsulting.com <http://www.brownwolfconsulting.com/> >> >> <Brown Wolf Consulting Logo Trandemark Wide.jpg> >> >
Attachments
- text/html attachment: stored
- image/jpeg attachment: Brown_Wolf_Consulting_Logo_Trandemark_Wide.jpg
Received on Monday, 10 January 2022 22:13:11 UTC