Re: Outsourcing from David Wainberg on 2011-11-03 (public-tracking@w3.org from November 2011)

From: David Wainberg <dwainberg@appnexus.com>
Date: Thu, 3 Nov 2011 15:44:50 -0400
To: Jonathan Mayer <jmayer@stanford.edu>
CC: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-ID: <4EB2EF32.2050707@appnexus.com>
Directionally, I like the approach, but I would propose revising it to 
make it cleaner.

  * I prefer "reasonable controls" to "reasonable technical
    precautions," because it's broader, and could encompass both
    business controls and technical controls.
  * As to what the controls are for, it's to prevent the mingling of
    data across parties, right?
  * I don't know what a "form that renders them legally enforceable" by
    all of those parties will be, especially across jurisdictions.
    However, if a company publicly states that it adheres to DNT, and if
    there's a requirement in DNT for parties in this context to have
    "reasonable controls" then that's adequate for enforcement, isn't
    it? I don't disagree with the direction of this, just need to make
    it workable.
  * To your issue about scope, the vendor needs to reserve some
    independent uses, such as to operate, maintain and improve the
    service, prevent fraud, etc. They also might disclose data in
    aggregate form to market the service, or for research.

Here's a draft proposal:

When a vendor or service provider collects or uses [some data] on behalf 
of another party, that vendor or service provider stands in the same 
position as the party with regard to DNT if the vendor or service 
provider: 1) will use the data in non-aggregate form only on behalf of 
the party, and 2) takes reasonable measures to ensure 1. Whether 
measures are reasonable depends on particular circumstances, but may 
include business or technical controls such as [TBD].

Notes:

  * "some data" is a placeholder for a yet to be defined scope of data
    to which DNT applies
  * I broadened to any parties, not just 1st vs 3rd, so that, e.g.,
    vendors of vendors will be covered (and also because I continue to
    doubt that the 1st vs 3rd distinction is useful.)
  * I propose, for clarity, that we refer to this type of relationship
    as a "vendor" or "service provider" relationship. I think that's
    consistent with usage in the industry, so will be better understood.


On 11/1/11 10:38 AM, Jonathan Mayer wrote:
> (ACTION-28, ISSUE-23)
>
> The text below reflects (I think) our consensus in Santa Clara on outsourcing.
>
> If a first-party website outsources functionality to a third-party website, the third party may act as a first party under this standard so long as all of the following conditions are met when responding to a Do Not Track request.
>
> 1) The third-party website takes reasonable technical precautions.
>
> Non-normative: One component of reasonable technical precautions may be using the same-origin policy to segregate information for each first-party customer.
>
> 2) The third-party website makes public commitments in a form that renders them legally enforceable by its first-party customer, individual users, and regulators.
>
> This leaves at least four open sub-issues on outsourcing:
>
> 1) What is the scope of "outsourcing"?  Is the third party just stepping into the first party's shoes?  Or does it have some independent discretion in using data for its own purposes (e.g. for "product improvement" and "aggregate statistics" as Shane and Jules have proposed)?  Here's my language from earlier in the month:
>> -the third party will not use the data it collects except as directed by the first party
>> -the third party will only use the data it collects to provide functionality to the first party; it will not use the data it collects for its own purposes
>> -the third party will not share the data it collects except with the first party
>> -if the first party requests, the third party will promptly delete the data it has collected
>> -if the first party closes its account, the third party will promptly delete the data it has collected
>
> 2) What are the third party's technical precautions for?  Preventing the collection of cross-site tracking data?  Siloing data per first-party customer?
>
> 3) What are the factors that go into a reasonable technical precaution?  (Note: this depends on what the precaution is for.)  Here's my old language:
>> -the extent to which the technical precautions prevent the collection of cross-site tracking data
>> -whether the technical precautions are externally verifiable
>> -the extent to which the technical precautions impede the third-party website's other functionality
>
> 4) Is there a MUST or SHOULD for reasonable internal controls?  Old language:
>> 2) The third-party website imposes reasonable internal controls to prevent the collection, retention, and use of cross-site tracking data.  Reasonable internal controls may consist of, among other practices, data segregation, encryption, access control, and employee training.
>>
>> Example:
>> Example Analytics collects data on behalf of first-party websites in a single database table that all employees have access to.
>>
>> Discussion:
>> Example Analytics has not imposed reasonable internal controls.
>
Received on Thursday, 3 November 2011 19:57:51 UTC