Re: "cross-site" from John Simpson on 2011-11-19 (public-tracking@w3.org from November 2011)

From: John Simpson <john@consumerwatchdog.org>
Date: Sat, 19 Nov 2011 13:06:04 -0800
To: Jonathan Robert Mayer <jmayer@stanford.edu>
Cc: Ed Felten <ed@felten.com>, Mike Zaneis <mike@iab.net>, "<public-tracking@w3.org>" <public-tracking@w3.org>
Message-Id: <687D0D3D-524E-4BE9-A54C-EB0D87A8E02B@consumerwatchdog.org>
Thanks. Got it. Agree with the principle.

----------------
John M. Simpson
Consumer Advocate
Consumer Watchdog
Tel: 310-392-7041
 

On Nov 19, 2011, at 1:03 PM, Jonathan Robert Mayer <jmayer@stanford.edu> wrote:

> *resending since copy+paste fail*
> 
> Suppose a first party doesn't want third-party resources on its site, so it sends web server logs to a third-party analytics service instead of embedding a script or pixel. So long as the data transferred is data the third party could have collected under the outsourcing exception, this text would allow the practice.
> 
> At a higher level, this text is just another instance of the principle (shared by many around the table, I believe) that we should not be (to the extent possible) drafting language that is technology-specific.
> 
> On Nov 18, 2011, at 1:19 PM, John Simpson <john@consumerwatchdog.org> wrote:
> 
>> Thanks, Jonathan.  Interesting proposal.  Can you please give me an example of what data a First Party site could transfer under the "may otherwise transfer data" language?
>> 
>> 
>> On Nov 18, 2011, at 12:42 AM, Jonathan Mayer wrote:
>> 
>>> Agreed.  Between the discussion in Santa Clara, this thread, and these threads, I think we're very close to a consensus on first-party obligations.  Some time ago I drafted this text for the compliance document:
>>> 
>>>> First-Party Requirements:
>>>> This standard imposes no requirements on first-party websites.  A first-party website MAY take steps to protect user privacy in responding to a Do Not Track request.
>>> 
>>> Here's what I would now propose:
>>> 
>>> First-Party Website Requirements
>>> 
>>> 1. Transfer of Data to a Third-Party Website
>>> A first-party website MUST NOT transfer data to a third-party website that the third-party website could not collect itself under this standard.  A first-party website MAY otherwise transfer data to a third-party website.
>>> 
>>> 2. Additional Voluntary Measures
>>> A first-party website MAY take additional steps to protect user privacy in responding to a Do Not Track request.
>>> 
>>> a. Example Voluntary Measures (Non-Normative)
>>> […]
>>> 
>>> ...and then...
>>> 
>>> Third-Party Website Requirements
>>> 
>>> 1. Transfer of Data from a First-Party Website
>>> If a third-party website receives data from a first-party website, the data is subject to the same collection, retention, and use limitations under this standard as if the third-party website had collected the data itself.
>>> 
>>> Jonathan
>>> 
>>> (tags: ISSUE-17, ISSUE-51)
>>> 
>>> On Nov 17, 2011, at 2:37 PM, Ed Felten wrote:
>>> 
>>>> It seems to me that there might be substantial agreement here.  As I
>>>> understand John, he was positing two reasons for sending a DNT flag to
>>>> first parties: (1) when DNT is enabled, first parties shouldn't
>>>> circumvent the limits on third-party collection by collecting data and
>>>> then sharing it with third parties, and (2) some first parties might
>>>> choose voluntarily to go beyond what the standard requires when they
>>>> see a DNT flag.
>>>> 
>>>> On Thu, Nov 17, 2011 at 3:28 PM, Mike Zaneis <mike@iab.net> wrote:
>>>>> This is where there is a fundamental split amongst the parties. We had a
>>>>> discussion several weeks ago about the first party obligations and I pointed
>>>>> out that IAB and my member companies generally support the U.S. FTC position
>>>>> that consumers don't expect first parties to be subject to such
>>>>> restrictions.  Those positions have not changed.
>>>>> 
>>>>> Mike Zaneis
>>>>> SVP & General Counsel, IAB
>>>>> (202) 253-1466
>>>>> On Nov 17, 2011, at 2:56 PM, "John Simpson" <john@consumerwatchdog.org>
>>>>> wrote:
>>>>> 
>>>>> Shane,
>>>>> I don't understand why we would say that a 1st party most likely will not be
>>>>> subject to the DNT signal.  If we continue to use the 1st party/ 3rd party
>>>>> distinction, it will likely (almost certainly) have different and probably
>>>>> fewer obligations than a third party. It should still be subject to the
>>>>> signal.
>>>>> As a user I want the 1st party site to know that I have DNT configured.  As
>>>>> a 1st party site operator I want to know a visitor has configured DNT and is
>>>>> sending me the signal.  There will be some "musts", ie not sharing data from
>>>>> a DNT configured user with 3rd parties, but if I am a responsible site
>>>>> operator I may chose to go further in honoring the DNT request.  For
>>>>> instance I might chose to not even include the visitor in my analytics. I
>>>>> need to know if  DNT is configured and the way this happens is by being
>>>>> subject to the DNT signal.
>>>>> The obligations are different, but its important that we think of all sites
>>>>> being subject to the DNT signal, once it is configured in the browser.
>>>>> 
>>>>> 73s,
>>>>> John
>>>>> On Nov 17, 2011, at 7:22 AM, Shane Wiley wrote:
>>>>> 
>>>>> Karl,
>>>>> 
>>>>> This statement is an attempt to remove the concern that a 1st party, which
>>>>> will mostly likely not be subject to the DNT signal, does not have a
>>>>> backdoor opportunity to pass user data directly to a 3rd party (aka -
>>>>> closing a loop-hole).  3rd parties present on the 1st party's web site
>>>>> should honor the DNT signal directly.
>>>>> 
>>>>> - Shane
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Karl Dubost [mailto:karld@opera.com]
>>>>> Sent: Thursday, November 17, 2011 5:40 AM
>>>>> To: Shane Wiley
>>>>> Cc: John Simpson; Jules Polonetsky; Nicholas Doty; Roy T. Fielding; Mark
>>>>> Nottingham; <public-tracking@w3.org>
>>>>> Subject: Re: "cross-site"
>>>>> 
>>>>> 
>>>>> Le 16 nov. 2011 à 23:30, Shane Wiley a écrit :
>>>>> 
>>>>> Alter statement to read "First parties must NOT share user specific data
>>>>> with 3rd parties for those user who send the DNT signal and have not granted
>>>>> a site-specific exception to the 1st party."  This will leave room for
>>>>> sharing with Agents/Service Providers/Vendors to the 1st party -- as well as
>>>>> sharing aggregate and anonymous data with "others" (general reporting, for
>>>>> example).
>>>>> 
>>>>> I guess you mean
>>>>> s/DNT signal/DNT:1 signal"
>>>>> 
>>>>> Trying to understand what you are saying.
>>>>> 
>>>>> 1. User sends DNT:1 to a website with domain name www.example.org
>>>>> 2. www.example.org collects data about the user
>>>>>   (IP address and categories of pages the user visits)
>>>>> 3. Company Acme Hosting Inc. (a 3rd party) has access to these
>>>>>   data NOT through the Web but through an access to the logs file.
>>>>> 
>>>>> 
>>>>> What is happening?
>>>>> 
>>>>> 
>>>>> --
>>>>> Karl Dubost - http://dev.opera.com/
>>>>> Developer Relations & Tools, Opera Software
>>>>> 
>>>>> 
>>>>> 
>>>>> ----------
>>>>> John M. Simpson
>>>>> Consumer Advocate
>>>>> Consumer Watchdog
>>>>> 1750 Ocean Park Blvd. ,Suite 200
>>>>> Santa Monica, CA,90405
>>>>> Tel: 310-392-7041
>>>>> Cell: 310-292-1902
>>>>> www.ConsumerWatchdog.org
>>>>> john@consumerwatchdog.org
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> ----------
>> John M. Simpson
>> Consumer Advocate
>> Consumer Watchdog
>> 1750 Ocean Park Blvd. ,Suite 200
>> Santa Monica, CA,90405
>> Tel: 310-392-7041
>> Cell: 310-292-1902
>> www.ConsumerWatchdog.org
>> john@consumerwatchdog.org
>>
Received on Saturday, 19 November 2011 21:06:43 UTC