Re: "cross-site"

Hi Mike,

I've been loathe to jump into a very interesting and productive exchange, but there are a few things here where it may be worth understanding my views as we proceed. 

First and foremost, the FTC does not decide the contours of our work. Not that we should ignore the FTC, since if we fail to meet the FTC's minimum requirements, they will call for either new laws or a heavier regulatory approach. That's on record too, and is why some of us are in the room at the W3C in the first place. There is nothing at all in the FTC report that says they will take action if we -- or industry self-regulatory groups, for that matter -- choose to do more than their minimum on privacy. As one example, the DAA's Self-Regulatory Principles for Multi-Site Data [1] add restrictions for data use around employment, credit, health care, and insurance. To the best of my knowledge, the FTC has never issued a report calling for these categories to get different treatment. But the DAA is free to place restrictions upon their members. Similarly, the Tracking Protection Working Group is free to set standards that we think are appropriate and reasonable, and any company choosing to comply with the recommendation shall follow those standards.

Second, W3C recommendations issue "could", "should", and best practices guidance. These terms and others are commonly defined in RFC 2119 [2], and you can see them in action in several W3C recommendations [3]. I see no reason for us to restrict ourselves to a subset of the tools available to us. I expect we will have some baseline MUST requirements, and we may have places we suggest what companies "should" do, which allows us to take a lighter touch than a firm "must". Most of the time, I think you will favor "should" to "must."

Third, I wonder if your issue is not about "could" or "should" but rather that you feel you had a better deal around first parties in a different fora. While I am sympathetic to the frustration that several people in the TPWG have been discussing, negotiating, and at times reaching prior agreements around DNT topics since 2007, we can and will reach different outcomes here. DNT has evolved since initial proposals that users somehow register they did not want to be tracked. Ideas have continued to evolve over the past year; since the FTC report, several implementations went live. The first group to implement Do Not Track was not an advertiser [4]. In practice, DNT is not just about OBA and third parties; first parties have already implemented DNT [5]. I have a hard time envisioning how the TPWG would justify authoring a standard that tells companies they must do less on privacy than they do today. 

Finally, one of the strengths of the W3C process is that we have voices from all across the spectrum, including some civil society groups that have not been part of prior efforts. This is important. Building a system that works for industry, and only for industry, will ultimately not meet our goals any more than building something that is full-tilt for privacy and impossible for business. This process is not something that can happen in a back room.

What would be helpful to me is a better understanding of your concerns. For example, if you think it is problematic to require that first parties must not sell user data under Do Not Track, what is it that you think is a problem? Right now I think I understand your position -- no requirements or recommendations to first parties -- but I do not understand your underlying issues. You have visibility into companies that most (if not all) of us lack. I would like to understand where you are coming from at a deeper level. 

	Aleecia

[1] http://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf
[2] https://www.ietf.org/rfc/rfc2119.txt
[3] Selected randomly: http://www.w3.org/TR/2009/REC-xforms-20091020/
[4] http://yro.slashdot.org/story/11/03/31/1926200/AP-Adopts-Firefoxs-Do-Not-Track-Others-On-the-Way
[5] https://developer.mozilla.org/en/The_Do_Not_Track_Field_Guide

On Nov 17, 2011, at 9:28 PM, Mike Zaneis wrote:

> Sorry Jeff and John, but the FTC and industry are on record with this issue. Below are my original statements, none of which have been rebuked by the FTC:
> 
> "I have to agree with Shane that first parties are outside of the scope of the DNT proposal.  In the U.S. this has been widely agreed too, with the Federal Trade Commission stating that:
> 
> "The (OBA Privacy) report concludes that fewer privacy concerns may be associated with "first-party" and "contextual" advertising than with other behavioral advertising, and concludes that it is not necessary to include such advertising within the scope of the principles."  http://www.ftc.gov/opa/2009/02/behavad.shtm.  
> 
> While I understand that this is meant to be a global document, U.S. companies operate under the assumption that they are not covered by third party requirements, which raise more consumer concerns.  
> 
> Furthermore, it seems that making non-binding policy statements as to what first parties "could" or "should" do is not within scope of the W3C mission nor this particular document.
> 
> It is unlikely that first parties would adhere to restrictions that they have been told should not affect them and thus inclusion of such provisions would diminish adoption of any W3C standard and would subject companies that are outside of the scope of this  document to unnecessary and unjustified public scrutiny."
> 
> Mike Zaneis
> SVP & General Counsel, IAB
> (202) 253-1466
> 
> On Nov 17, 2011, at 10:08 PM, "Jeffrey Chester" <jeffreychester@me.com> wrote:
> 
>> The ftc's position on first and third parties is evolving, I believe.  We have provided them with evidence that the distinctions  between first and third parties has eroded because of real time bidding and other data integration practices embraced by online publishing. As First parties import outside data for user targeting from many sources simultaneously, a user's decision regarding DNT for such provider partner sites could be ignored, I fear. 
>> 
>> 
>> Jeff Chester
>> Center for Digital Democracy
>> Washington DC
>> www.democraticmedia.org
>> Jeff@democraticmedia.org
>> 
>> On Nov 17, 2011, at 4:31 PM, John Simpson <john@consumerwatchdog.org> wrote:
>> 
>>> Mike,
>>> 
>>> The FTC hasn't taken a position on this.  That only happens when the commissioners vote and they have not.  I think what you're doing is predicting what you think a majority would say if they voted.
>>> 
>>> Best,
>>> John
>>> 
>>> On Nov 17, 2011, at 12:28 PM, Mike Zaneis wrote:
>>> 
>>>> This is where there is a fundamental split amongst the parties. We had a discussion several weeks ago about the first party obligations and I pointed out that IAB and my member companies generally support the U.S. FTC position that consumers don't expect first parties to be subject to such restrictions.  Those positions have not changed.
>>>> 
>>>> Mike Zaneis
>>>> SVP & General Counsel, IAB
>>>> (202) 253-1466
>>>> 
>>>> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org> wrote:
>>>> 
>>>>> Shane,
>>>>> 
>>>>> I don't understand why we would say that a 1st party most likely will not be subject to the DNT signal.  If we continue to use the 1st party/ 3rd party distinction, it will likely (almost certainly) have different and probably fewer obligations than a third party. It should still be subject to the signal.
>>>>> 
>>>>> As a user I want the 1st party site to know that I have DNT configured.  As a 1st party site operator I want to know a visitor has configured DNT and is sending me the signal.  There will be some "musts", ie not sharing data from a DNT configured user with 3rd parties, but if I am a responsible site operator I may chose to go further in honoring the DNT request.  For instance I might chose to not even include the visitor in my analytics. I need to know if  DNT is configured and the way this happens is by being subject to the DNT signal.
>>>>> 
>>>>> The obligations are different, but its important that we think of all sites being subject to the DNT signal, once it is configured in the browser.
>>>>> 
>>>>> 73s,
>>>>> John
>>>>> 
>>>>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>>>>> 
>>>>>> Karl,
>>>>>> 
>>>>>> This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole).  3rd parties present on the 1st party's web site should honor the DNT signal directly.
>>>>>> 
>>>>>> - Shane
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Karl Dubost [mailto:karld@opera.com] 
>>>>>> Sent: Thursday, November 17, 2011 5:40 AM
>>>>>> To: Shane Wiley
>>>>>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark Nottingham; <public-tracking@w3.org>
>>>>>> Subject: Re: "cross-site"
>>>>>> 
>>>>>> 
>>>>>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>>>>>>> Alter statement to read "First parties must NOT share user specific data with 3rd parties for those user who send the DNT signal and have not granted a site-specific exception to the 1st party."  This will leave room for sharing with Agents/Service Providers/Vendors to the 1st party -- as well as sharing aggregate and anonymous data with "others" (general reporting, for example).  
>>>>>> 
>>>>>> I guess you mean 
>>>>>> s/DNT signal/DNT:1 signal"
>>>>>> 
>>>>>> Trying to understand what you are saying.
>>>>>> 
>>>>>> 1. User sends DNT:1 to a website with domain name www.example.org
>>>>>> 2. www.example.org collects data about the user 
>>>>>>   (IP address and categories of pages the user visits)
>>>>>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these 
>>>>>>   data NOT through the Web but through an access to the logs file. 
>>>>>> 
>>>>>> 
>>>>>> What is happening?
>>>>>> 
>>>>>> 
>>>>>> -- 
>>>>>> Karl Dubost - http://dev.opera.com/
>>>>>> Developer Relations & Tools, Opera Software
>>>>>> 
>>>>>> 
>>>>> 
>>>>> ----------
>>>>> John M. Simpson
>>>>> Consumer Advocate
>>>>> Consumer Watchdog
>>>>> 1750 Ocean Park Blvd. ,Suite 200
>>>>> Santa Monica, CA,90405
>>>>> Tel: 310-392-7041
>>>>> Cell: 310-292-1902
>>>>> www.ConsumerWatchdog.org
>>>>> john@consumerwatchdog.org
>>>>> 
>>> 
>>> ----------
>>> John M. Simpson
>>> Consumer Advocate
>>> Consumer Watchdog
>>> 1750 Ocean Park Blvd. ,Suite 200
>>> Santa Monica, CA,90405
>>> Tel: 310-392-7041
>>> Cell: 310-292-1902
>>> www.ConsumerWatchdog.org
>>> john@consumerwatchdog.org
>>>