RE: "cross-site" from Jules Polonetsky on 2011-11-17 (public-tracking@w3.org from November 2011)

From: Jules Polonetsky <julespol@futureofprivacy.org>
Date: Wed, 16 Nov 2011 23:40:11 -0500
To: "'Shane Wiley'" <wileys@yahoo-inc.com>, "'John Simpson'" <john@consumerwatchdog.org>
Cc: "'Nicholas Doty'" <npdoty@w3.org>, "'Roy T. Fielding'" <fielding@gbiv.com>, "'Mark Nottingham'" <mnot@mnot.net>, "'Karl Dubost'" <karld@opera.com>, <public-tracking@w3.org>
Message-ID: <003201cca4e2$fe323850$fa96a8f0$@futureofprivacy.org>

Sounds right

-----Original Message-----
From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: Wednesday, November 16, 2011 11:31 PM
To: John Simpson
Cc: Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; Karl
Dubost; <public-tracking@w3.org>
Subject: RE: "cross-site"

Friendly recommended amendment:

Alter statement to read "First parties must NOT share user specific data
with 3rd parties for those user who send the DNT signal and have not granted
a site-specific exception to the 1st party."  This will leave room for
sharing with Agents/Service Providers/Vendors to the 1st party -- as well as
sharing aggregate and anonymous data with "others" (general reporting, for
example).  

- Shane

-----Original Message-----
From: John Simpson [mailto:john@consumerwatchdog.org]
Sent: Wednesday, November 16, 2011 7:51 PM
To: John Simpson
Cc: Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; Karl
Dubost; <public-tracking@w3.org>
Subject: Re: "cross-site"

Sorry, left out NOT.  First parties must NOT share data with others.

----------------
John M. Simpson
Consumer Advocate
Consumer Watchdog
Tel: 310-392-7041
 

On Nov 16, 2011, at 7:45 PM, John Simpson <john@consumerwatchdog.org> wrote:

> I think there are some "must" requirements on first party sites.
specifically they must share data with others ...
> 
> ----------------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> Tel: 310-392-7041
> 
> 
> On Nov 16, 2011, at 7:24 PM, "Jules Polonetsky"
<julespol@futureofprivacy.org> wrote:
> 
>> I thought there was consensus that requirements on first parties were
"may"
>> and third parties were "must" or "shall".
>> 
>> -----Original Message-----
>> From: Nicholas Doty [mailto:npdoty@w3.org]
>> Sent: Wednesday, November 16, 2011 10:20 PM
>> To: Roy T. Fielding
>> Cc: John Simpson; Mark Nottingham; Karl Dubost; 
>> public-tracking@w3.org WG
>> (public-tracking@w3.org)
>> Subject: Re: "cross-site"
>> 
>> On Nov 16, 2011, at 12:43 AM, Roy T. Fielding wrote:
>> 
>>> On Nov 15, 2011, at 2:59 PM, John Simpson wrote:
>>> 
>>>> Perhaps I am missing something, but I don't understand why we need 
>>>> the
>> reference to "cross-site" nor to "across sites."  As a user I want to 
>> send a clear and unambiguous signal that I do not wish to be tracked.  
>> I may be persuaded that first party sites and third party sites have 
>> different obligations when my message is received, but I definitely 
>> want both first and third party sites to get my message. Thus, I 
>> believe the specification should simply read:
>>>> 
>>>> "This specification defines the technical mechanisms for expressing 
>>>> a
>> tracking preference via the DNT request header field in HTTP."
>>> 
>>> No, we've already had this conversation.
>>> 
>>> We chose to make exceptions for analytics and first-party-exclusive
>> tracking from the preference expression because they are not a 
>> privacy concern, they do match user expectations, and are necessary 
>> for DNT adoption.
>> 
>> As John points out, while we do seem to agree that first and third 
>> parties may have different requirements, I'm not aware of a consensus 
>> decision that first parties are entirely excepted from the standards. 
>> In fact, the compliance document currently contains a "First Party 
>> Compliance" section,
>> ISSUE-17 remains open and first parties could provide meaningful 
>> responses with the proposed response header.
>> 
>> I also don't remember us choosing to grant an exception for 
>> analytics, besides highlighting that for later discussion. ISSUEs 23 
>> and 24 haven't been opened yet, though the work on 73 suggests a 
>> direction for one type of analytics.
>> 
>>> The combination of those two choices requires that we place an 
>>> adjective
>> before tracking in order to properly define the meaning of the header
field.
>> "cross-site" is good enough for me.  We can replace it if somebody 
>> comes up with a better shorthand term.
>> 
>> I'd be happy with John's suggested text, or with whatever language we 
>> land on in the compliance document (there are open issues there about 
>> "behavioral" as a potential modifier for this purpose).
>> 
>> -Nick
>

Received on Thursday, 17 November 2011 04:40:51 UTC