Re: "cross-site" from Justin Brookman on 2011-11-17 (public-tracking@w3.org from November 2011)

From: Justin Brookman <justin@cdt.org>
Date: Thu, 17 Nov 2011 15:59:56 -0500
To: public-tracking@w3.org
Message-ID: <4EC575CC.2000104@cdt.org>
I don't think there is a fundamental split here.  I think we've mostly 
agreed that the only MUST obligation on first parties is that they can't 
help third-parties evade the DNT instruction by providing them the data 
directly in so the third-parties can correlate with similar data 
provided by other first parties.  That doesn't sound very onerous --- as 
Shane notes, this is just closing a potential loophole, not an 
affirmative requirement on first-party data usage.

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 11/17/2011 3:28 PM, Mike Zaneis wrote:
> This is where there is a fundamental split amongst the parties. We had 
> a discussion several weeks ago about the first party obligations and I 
> pointed out that IAB and my member companies generally support the 
> U.S. FTC position that consumers don't expect first parties to be 
> subject to such restrictions.  Those positions have not changed.
>
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
>
> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org 
> <mailto:john@consumerwatchdog.org>> wrote:
>
>> Shane,
>>
>> I don't understand why we would say that a 1st party most likely will 
>> not be subject to the DNT signal.  If we continue to use the 1st 
>> party/ 3rd party distinction, it will likely (almost certainly) have 
>> different and probably fewer obligations than a third party. It 
>> should still be subject to the signal.
>>
>> As a user I want the 1st party site to know that I have DNT 
>> configured.  As a 1st party site operator I want to know a visitor 
>> has configured DNT and is sending me the signal.  There will be some 
>> "musts", ie not sharing data from a DNT configured user with 3rd 
>> parties, but if I am a responsible site operator I may chose to go 
>> further in honoring the DNT request.  For instance I might chose to 
>> not even include the visitor in my analytics. I need to know if  DNT 
>> is configured and the way this happens is by being subject to the DNT 
>> signal.
>>
>> The obligations are different, but its important that we think of all 
>> sites being subject to the DNT signal, once it is configured in the 
>> browser.
>>
>> 73s,
>> John
>>
>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>>
>>> Karl,
>>>
>>> This statement is an attempt to remove the concern that a 1st party, 
>>> which will mostly likely not be subject to the DNT signal, does not 
>>> have a backdoor opportunity to pass user data directly to a 3rd 
>>> party (aka - closing a loop-hole).  3rd parties present on the 1st 
>>> party's web site should honor the DNT signal directly.
>>>
>>> - Shane
>>>
>>> -----Original Message-----
>>> From: Karl Dubost [mailto:karld@opera.com]
>>> Sent: Thursday, November 17, 2011 5:40 AM
>>> To: Shane Wiley
>>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; 
>>> Mark Nottingham; <public-tracking@w3.org 
>>> <mailto:public-tracking@w3.org>>
>>> Subject: Re: "cross-site"
>>>
>>>
>>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>>>> Alter statement to read "First parties must NOT share user specific 
>>>> data with 3rd parties for those user who send the DNT signal and 
>>>> have not granted a site-specific exception to the 1st party."  This 
>>>> will leave room for sharing with Agents/Service Providers/Vendors 
>>>> to the 1st party -- as well as sharing aggregate and anonymous data 
>>>> with "others" (general reporting, for example).
>>>
>>> I guess you mean
>>> s/DNT signal/DNT:1 signal"
>>>
>>> Trying to understand what you are saying.
>>>
>>> 1. User sends DNT:1 to a website with domain name 
>>> <http://www.example.org>www.example.org <http://www.example.org>
>>> 2. www.example.org <http://www.example.org> collects data about the 
>>> user
>>>   (IP address and categories of pages the user visits)
>>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these
>>>   data NOT through the Web but through an access to the logs file.
>>>
>>>
>>> What is happening?
>>>
>>>
>>> -- 
>>> Karl Dubost - http://dev.opera.com/
>>> Developer Relations & Tools, Opera Software
>>>
>>>
>>
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> www.ConsumerWatchdog.org <http://www.ConsumerWatchdog.org>
>> john@consumerwatchdog.org <mailto:john@consumerwatchdog.org>
>>
Received on Thursday, 17 November 2011 21:00:32 UTC