- From: Jonathan Robert Mayer <jmayer@stanford.edu>
- Date: Sat, 19 Nov 2011 13:00:45 -0800 (PST)
- To: John Simpson <john@consumerwatchdog.org>
- Cc: Ed Felten <ed@felten.com>, Mike Zaneis <mike@iab.net>, "<public-tracking@w3.org>" <public-tracking@w3.org>
- Message-Id: <596D3114-8D24-4167-A725-082ABB1DA544@stanford.edu>
Suppose a first party doesn't want third-party resources on its site, so it sends web server logs to a third-party analytics service instead of embedding a script or pixel. So long as the data transferred is data the third party could have collected under the outsourcing exception, this text would allow the practice. At a higher level, this text is just another instance of the principle (shared by many around the table, I believe) that we should not be On Nov 18, 2011, at 1:19 PM, John Simpson <john@consumerwatchdog.org> wrote: > Thanks, Jonathan. Interesting proposal. Can you please give me an example of what data a First Party site could transfer under the "may otherwise transfer data" language? > > > On Nov 18, 2011, at 12:42 AM, Jonathan Mayer wrote: > >> Agreed. Between the discussion in Santa Clara, this thread, and these threads, I think we're very close to a consensus on first-party obligations. Some time ago I drafted this text for the compliance document: >> >>> First-Party Requirements: >>> This standard imposes no requirements on first-party websites. A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request. >> >> Here's what I would now propose: >> >> First-Party Website Requirements >> >> 1. Transfer of Data to a Third-Party Website >> A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard. A first-party website MAY otherwise transfer data to a third-party website. >> >> 2. Additional Voluntary Measures >> A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request. >> >> a. Example Voluntary Measures (Non-Normative) >> […] >> >> ...and then... >> >> Third-Party Website Requirements >> >> 1. Transfer of Data from a First-Party Website >> If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself. >> >> Jonathan >> >> (tags: ISSUE-17, ISSUE-51) >> >> On Nov 17, 2011, at 2:37 PM, Ed Felten wrote: >> >>> It seems to me that there might be substantial agreement here. As I >>> understand John, he was positing two reasons for sending a DNT flag to >>> first parties: (1) when DNT is enabled, first parties shouldn't >>> circumvent the limits on third-party collection by collecting data and >>> then sharing it with third parties, and (2) some first parties might >>> choose voluntarily to go beyond what the standard requires when they >>> see a DNT flag. >>> >>> On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net> wrote: >>>> This is where there is a fundamental split amongst the parties. We had a >>>> discussion several weeks ago about the first party obligations and I pointed >>>> out that IAB and my member companies generally support the U.S. FTC position >>>> that consumers don't expect first parties to be subject to such >>>> restrictions. Those positions have not changed. >>>> >>>> Mike Zaneis >>>> SVP & General Counsel, IAB >>>> (202) 253-1466 >>>> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org> >>>> wrote: >>>> >>>> Shane, >>>> I don't understand why we would say that a 1st party most likely will not be >>>> subject to the DNT signal. If we continue to use the 1st party/ 3rd party >>>> distinction, it will likely (almost certainly) have different and probably >>>> fewer obligations than a third party. It should still be subject to the >>>> signal. >>>> As a user I want the 1st party site to know that I have DNT configured. As >>>> a 1st party site operator I want to know a visitor has configured DNT and is >>>> sending me the signal. There will be some "musts", ie not sharing data from >>>> a DNT configured user with 3rd parties, but if I am a responsible site >>>> operator I may chose to go further in honoring the DNT request. For >>>> instance I might chose to not even include the visitor in my analytics. I >>>> need to know if DNT is configured and the way this happens is by being >>>> subject to the DNT signal. >>>> The obligations are different, but its important that we think of all sites >>>> being subject to the DNT signal, once it is configured in the browser. >>>> >>>> 73s, >>>> John >>>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote: >>>> >>>> Karl, >>>> >>>> This statement is an attempt to remove the concern that a 1st party, which >>>> will mostly likely not be subject to the DNT signal, does not have a >>>> backdoor opportunity to pass user data directly to a 3rd party (aka - >>>> closing a loop-hole). 3rd parties present on the 1st party's web site >>>> should honor the DNT signal directly. >>>> >>>> - Shane >>>> >>>> -----Original Message----- >>>> From: Karl Dubost [mailto:karld@opera.com] >>>> Sent: Thursday, November 17, 2011 5:40 AM >>>> To: Shane Wiley >>>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark >>>> Nottingham; <public-tracking@w3.org> >>>> Subject: Re: "cross-site" >>>> >>>> >>>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit : >>>> >>>> Alter statement to read "First parties must NOT share user specific data >>>> with 3rd parties for those user who send the DNT signal and have not granted >>>> a site-specific exception to the 1st party." This will leave room for >>>> sharing with Agents/Service Providers/Vendors to the 1st party -- as well as >>>> sharing aggregate and anonymous data with "others" (general reporting, for >>>> example). >>>> >>>> I guess you mean >>>> s/DNT signal/DNT:1 signal" >>>> >>>> Trying to understand what you are saying. >>>> >>>> 1. User sends DNT:1 to a website with domain name www.example.org >>>> 2. www.example.org collects data about the user >>>> (IP address and categories of pages the user visits) >>>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these >>>> data NOT through the Web but through an access to the logs file. >>>> >>>> >>>> What is happening? >>>> >>>> >>>> -- >>>> Karl Dubost - http://dev.opera.com/ >>>> Developer Relations & Tools, Opera Software >>>> >>>> >>>> >>>> ---------- >>>> John M. Simpson >>>> Consumer Advocate >>>> Consumer Watchdog >>>> 1750 Ocean Park Blvd. ,Suite 200 >>>> Santa Monica, CA,90405 >>>> Tel: 310-392-7041 >>>> Cell: 310-292-1902 >>>> www.ConsumerWatchdog.org >>>> john@consumerwatchdog.org >>>> >>> >>> >> > > ---------- > John M. Simpson > Consumer Advocate > Consumer Watchdog > 1750 Ocean Park Blvd. ,Suite 200 > Santa Monica, CA,90405 > Tel: 310-392-7041 > Cell: 310-292-1902 > www.ConsumerWatchdog.org > john@consumerwatchdog.org >
Received on Saturday, 19 November 2011 21:01:18 UTC