- From: Nick Doty <ndoty@cdt.org>
- Date: Fri, 14 Jan 2022 14:28:13 -0500
- To: Don Marti <dmarti@cafemedia.com>
- Cc: "Zucker-Scharff, Aram" <aram.zucker-scharff@washpost.com>, Ralph Brown <ralph@brownwolfconsulting.com>, Robin Berjon <robin@berjon.com>, "public-privacycg@w3.org" <public-privacycg@w3.org>, Scott Yates <scott@journallist.net>
- Message-ID: <CA+tYtvFdej1N3gBJcxWRziL-KdvCUkrg=OupRS=ZusatVkoWsg@mail.gmail.com>
On Thu, Jan 13, 2022 at 2:31 PM Don Marti <dmarti@cafemedia.com> wrote: > > On Thu, Jan 13, 2022 at 9:53 AM Zucker-Scharff, Aram < > Aram.Zucker-Scharff@washpost.com> wrote: > > But I don’t really see how any of this lands us on FPS anyway. There is no >> better way to have a clear shared indicator of shared context then >> operating on the same domain as far as I can see, and I’m not really clear >> on how FPS would give us the ability to enforce any clearer way than >> ‘operates on the same domain’ or would otherwise meet the minimum clarity >> required to make the affiliation visible to all users. Arguably, even that >> isn’t enough to make clear to users what is going on with their data, as it >> still leaves them with the mysteries of how these companies operate >> internally, but it still is significantly clearer than any other options I >> have heard or could conceive. It at least makes it unmistakable who the >> operator they have to object to is. >> >> >> >> I’m open to hearing some clear articulation of why every business needs >> to run on multiple TLDs and that t/f requires FPS… but I haven’t even heard >> that yet. >> >> >> >> I appreciate the work that has gone into trust.txt but I’m just not sure >> why we would want to shave a square peg to fit a round hole when we could >> have a round peg made for purpose. I know that in theory this means More >> Standards which can be undesirable, but in this case--especially with the >> idea that we’re going to have to build some theoretical user-manned >> regulatory body that will be reviewing FPSs, a presumably extensive and >> never-ending queue--it seems like a new standard for how to proclaim FPSs >> that is a best-possible fit is worth the time and effort. >> > > It is possible for FPS to be a net win for users. > I'm interested to understand how this would be a benefit for users, so thanks for giving this example to work through. > For example, let's say that dobbsford.example and dobbstoyota.example are > two car dealership sites, and users of both are aware of the common brand > identity of the two sites. The Bob Dobbs who tells them "Bob Dobbs won't > make you pay a lot for a Ford!" and the Bob Dobbs who tells them "Bob Dobbs > won't make you pay a lot for a Toyota!" are the same recognizable > advertising personality. > > The two sites have the same design elements, shared copy, and privacy > policy text. The two identical privacy policies state that the site will > not allow your email address to be used for spam email if you provide it. > What was the user benefit here? As the user, did I want both dealerships to know what cars I was looking at on the other site without logging in? > When the sites claim an FPS, the IEE gives them an incentive to adhere to > their own published privacy policy. If the IEE makes an account with a > spamtrap address on one of the two sites, and then receives spam, the FPS > is invalid. The decision to claim an FPS and stick to it is a way for a > single service with multiple domains to make a credible commitment to its > own privacy policy. FPSs are asking the user for an exception to the normal > rule, and offering to pay for the exception with the validation services > provided by the IEE. > I'm not clear how in this proposal the FPS is a way for a company to commit to its own privacy policy. I'm not precisely sure what redress I would have if a company promised not to do something in their privacy policy and then did it anyway, but I would expect to reach out to a local consumer protection authority -- maybe this is a deceptive trade practice. That doesn't seem to rely on their being two different domains that claim in a machine-readable way to be owned by the same party. Is the commitment more credible because a browser might restrict the scope of cookies if a violation of the commitment comes to light and that penalty would be more meaningful than what local consumer protection would bring? Or would it be similar to a BBB or other trust seal? > (I don't know if the two sites in this example actually have the same > "ownership". The two dealerships are LLCs with overlapping member lists, > and have issued convertible debt instruments to different parties. Bob > Dobbs is one step ahead of the IRS, and at least one step ahead of any IEE > that tried to figure out the same info.) > I believe you that companies may use complicated arrangements to defraud local tax authorities. As a user, I would be very confused if I granted special access to combine my data across domains because I thought it was the same entity and then it turned out that the data was actually being shared by two different companies. That the privacy policy (that I surely didn't read) was identical text for the two companies doesn't necessarily seem like a big advantage to the end user. Which company should I report to the local authority when my email address was shared by one of them for spam? Cheers, Nick >
Received on Friday, 14 January 2022 19:28:38 UTC