RE: "cross-site"

Aleecia,

Thanks for the clarification.

JC
Twitter<http://twitter.com/jccannon7>

From: Aleecia M. McDonald [mailto:aleecia@aleecia.com]
Sent: Friday, November 18, 2011 9:11 AM
To: Tracking Protection Working Group WG
Subject: Re: "cross-site"

Hi JC,

Most issues will not be fully written while we are reviewing the first party language, but we will have placeholders for our decisions on those topics when we move the first party discussion into the next draft (currently the FPWD). We cannot write the entire compliance/definitions document at once. It makes sense to get consensus decisions on pieces as we progress, even knowing that the discussions around some of the related issues can result in what Matthias calls "earthquakes" -- a subsequent decision that brings us back to revisit a set of earlier decisions.

So, some mention of it? Yes, issue-73 is already in the FPWD, which is what we will start editing. We will not forget that these issues are out there. And I expect we will start taking them up very soon.

            Aleecia

On Nov 18, 2011, at 8:03 AM, JC Cannon wrote:


That sounds fine, but I will like to see some mention of it in the first-party requirements section.

JC
Twitter<http://twitter.com/jccannon7>

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Friday, November 18, 2011 7:58 AM
To: JC Cannon; Jonathan Mayer; Ed Felten
Cc: Mike Zaneis; <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: "cross-site"

Agreed - but this would be covered under the Agency/Service Provider/Vendor exception - whereby the 3rd party is treated the same as the 1st party - and has no independent rights to use that information outside of general product improvement and "reporting" on their business performance .

For example, MSFT contracts with VENDORA to fulfill transactions on their behalf.  VENDORA would not be able to leverage the information passed to them from MSFT to build profiles to be sold separately from MSFT's participation (again - not aware of this type of arrangement in the real-world but this is an exercise in closing loop-holes).  VENDORA would be able to use the information to improve their products generally (improve their fraud detection capabilities) and provide general company performance metrics - for example, VENDORA processed 1.2 Million transactions in the month of MONTH/YEAR.

From: JC Cannon [mailto:jccannon@microsoft.com]
Sent: Friday, November 18, 2011 7:43 AM
To: Shane Wiley; Jonathan Mayer; Ed Felten
Cc: Mike Zaneis; <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: "cross-site"

I would expect an exclusion for first parties sending data to a third party as needed to fulfill a transaction on the part of the first party such as order fulfillment.

JC
Twitter<http://twitter.com/jccannon7>

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Friday, November 18, 2011 7:32 AM
To: Jonathan Mayer; Ed Felten
Cc: Mike Zaneis; <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: "cross-site"

Jonathan,

I believe this is very close.

2 Possible Issues:

- 1. Transfer of Data to a Third-Party Website:  As long as "under this standard" can be taken to mean "when the DNT:1 signal is received" - then we're good.  The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group.
- 1. Transfer of Data from a First-Party Website:  As long as is "with respect to honoring a user's DNT:1 signal" then we're good.  The way this is written now is could be implied that this is true in all cases which is beyond the scope of this working group.

- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Friday, November 18, 2011 12:42 AM
To: Ed Felten
Cc: Mike Zaneis; <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: "cross-site"

Agreed.  Between the discussion in Santa Clara, this thread, and these<http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0001.html> threads<http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0021.html>, I think we're very close to a consensus on first-party obligations.  Some time ago I drafted this text for the compliance document:

First-Party Requirements:
This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request.

Here's what I would now propose:

First-Party Website Requirements

1. Transfer of Data to a Third-Party Website
A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard.  A first-party website MAY otherwise transfer data to a third-party website.

2. Additional Voluntary Measures
A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request.

a. Example Voluntary Measures (Non-Normative)
[...]

...and then...

Third-Party Website Requirements

1. Transfer of Data from a First-Party Website
If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself.

Jonathan

(tags: ISSUE-17, ISSUE-51)

On Nov 17, 2011, at 2:37 PM, Ed Felten wrote:

It seems to me that there might be substantial agreement here.  As I
understand John, he was positing two reasons for sending a DNT flag to
first parties: (1) when DNT is enabled, first parties shouldn't
circumvent the limits on third-party collection by collecting data and
then sharing it with third parties, and (2) some first parties might
choose voluntarily to go beyond what the standard requires when they
see a DNT flag.

On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net<mailto:mike@iab.net>> wrote:
This is where there is a fundamental split amongst the parties. We had a
discussion several weeks ago about the first party obligations and I pointed
out that IAB and my member companies generally support the U.S. FTC position
that consumers don't expect first parties to be subject to such
restrictions.  Those positions have not changed.

Mike Zaneis
SVP & General Counsel, IAB
(202) 253-1466
On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>>
wrote:

Shane,
I don't understand why we would say that a 1st party most likely will not be
subject to the DNT signal.  If we continue to use the 1st party/ 3rd party
distinction, it will likely (almost certainly) have different and probably
fewer obligations than a third party. It should still be subject to the
signal.
As a user I want the 1st party site to know that I have DNT configured.  As
a 1st party site operator I want to know a visitor has configured DNT and is
sending me the signal.  There will be some "musts", ie not sharing data from
a DNT configured user with 3rd parties, but if I am a responsible site
operator I may chose to go further in honoring the DNT request.  For
instance I might chose to not even include the visitor in my analytics. I
need to know if  DNT is configured and the way this happens is by being
subject to the DNT signal.
The obligations are different, but its important that we think of all sites
being subject to the DNT signal, once it is configured in the browser.

73s,
John
On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:

Karl,

This statement is an attempt to remove the concern that a 1st party, which
will mostly likely not be subject to the DNT signal, does not have a
backdoor opportunity to pass user data directly to a 3rd party (aka -
closing a loop-hole).  3rd parties present on the 1st party's web site
should honor the DNT signal directly.

- Shane

-----Original Message-----
From: Karl Dubost [mailto:karld@opera.com]
Sent: Thursday, November 17, 2011 5:40 AM
To: Shane Wiley
Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark
Nottingham; <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: "cross-site"


Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :

Alter statement to read "First parties must NOT share user specific data
with 3rd parties for those user who send the DNT signal and have not granted
a site-specific exception to the 1st party."  This will leave room for
sharing with Agents/Service Providers/Vendors to the 1st party -- as well as
sharing aggregate and anonymous data with "others" (general reporting, for
example).

I guess you mean
s/DNT signal/DNT:1 signal"

Trying to understand what you are saying.

1. User sends DNT:1 to a website with domain name www.example.org<http://www.example.org>
2. www.example.org<http://www.example.org> collects data about the user
  (IP address and categories of pages the user visits)
3. Company Acme Hosting Inc. (a 3rd party) has access to these
  data NOT through the Web but through an access to the logs file.


What is happening?


--
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software



----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org<http://www.ConsumerWatchdog.org>
john@consumerwatchdog.org<mailto:john@consumerwatchdog.org>

Received on Friday, 18 November 2011 17:14:40 UTC