- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Thu, 17 Nov 2011 18:50:00 -0800
- To: Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
- Message-ID: <63294A1959410048A33AEE161379C8023D03B9B86A@SP2-EX07VS02.ds.corp.yahoo.com>
Thank you Justin - completely agreed. And to John's comments - I equally agree. My statement was meant only to address the "MUST" side of the equation in this isolated use case. This should not be taken to say add'l MAYs or SHOULDs could not also be layered on. - Shane From: Justin Brookman [mailto:justin@cdt.org] Sent: Thursday, November 17, 2011 1:00 PM To: public-tracking@w3.org Subject: Re: "cross-site" I don't think there is a fundamental split here. I think we've mostly agreed that the only MUST obligation on first parties is that they can't help third-parties evade the DNT instruction by providing them the data directly in so the third-parties can correlate with similar data provided by other first parties. That doesn't sound very onerous --- as Shane notes, this is just closing a potential loophole, not an affirmative requirement on first-party data usage. Justin Brookman Director, Consumer Privacy Project Center for Democracy & Technology 1634 I Street NW, Suite 1100 Washington, DC 20006 tel 202.407.8812 fax 202.637.0969 justin@cdt.org<mailto:justin@cdt.org> http://www.cdt.org @CenDemTech @JustinBrookman On 11/17/2011 3:28 PM, Mike Zaneis wrote: This is where there is a fundamental split amongst the parties. We had a discussion several weeks ago about the first party obligations and I pointed out that IAB and my member companies generally support the U.S. FTC position that consumers don't expect first parties to be subject to such restrictions. Those positions have not changed. Mike Zaneis SVP & General Counsel, IAB (202) 253-1466 On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>> wrote: Shane, I don't understand why we would say that a 1st party most likely will not be subject to the DNT signal. If we continue to use the 1st party/ 3rd party distinction, it will likely (almost certainly) have different and probably fewer obligations than a third party. It should still be subject to the signal. As a user I want the 1st party site to know that I have DNT configured. As a 1st party site operator I want to know a visitor has configured DNT and is sending me the signal. There will be some "musts", ie not sharing data from a DNT configured user with 3rd parties, but if I am a responsible site operator I may chose to go further in honoring the DNT request. For instance I might chose to not even include the visitor in my analytics. I need to know if DNT is configured and the way this happens is by being subject to the DNT signal. The obligations are different, but its important that we think of all sites being subject to the DNT signal, once it is configured in the browser. 73s, John On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote: Karl, This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole). 3rd parties present on the 1st party's web site should honor the DNT signal directly. - Shane -----Original Message----- From: Karl Dubost [mailto:karld@opera.com] Sent: Thursday, November 17, 2011 5:40 AM To: Shane Wiley Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; <public-tracking@w3.org<mailto:public-tracking@w3.org>> Subject: Re: "cross-site" Le 16 nov. 2011 à 23:30, Shane Wiley a écrit : Alter statement to read "First parties must NOT share user specific data with 3rd parties for those user who send the DNT signal and have not granted a site-specific exception to the 1st party." This will leave room for sharing with Agents/Service Providers/Vendors to the 1st party -- as well as sharing aggregate and anonymous data with "others" (general reporting, for example). I guess you mean s/DNT signal/DNT:1 signal" Trying to understand what you are saying. 1. User sends DNT:1 to a website with domain name www.example.org<http://www.example.org> 2. www.example.org<http://www.example.org> collects data about the user (IP address and categories of pages the user visits) 3. Company Acme Hosting Inc. (a 3rd party) has access to these data NOT through the Web but through an access to the logs file. What is happening? -- Karl Dubost - http://dev.opera.com/ Developer Relations & Tools, Opera Software ---------- John M. Simpson Consumer Advocate Consumer Watchdog 1750 Ocean Park Blvd. ,Suite 200 Santa Monica, CA,90405 Tel: 310-392-7041 Cell: 310-292-1902 www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org> john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>
Received on Friday, 18 November 2011 02:50:51 UTC