Re: Issue-17, Issue-51 First party obligations

On Nov 30, 2011, at 10:36 AM, Jeffrey Chester wrote:

> In addition, although sites might be commonly owned--as in Google/YouTube--the tracking and targeting approaches can be different.  Consequently, users should not be expected to safely assume that they understand all the ways they can be tracked and data collected even by a commonly owned entity.  So the focus should be, as I believe we all agree, on maximizing consumer privacy.

Maximizing consumer privacy is an unbounded wish, not the focus of this group.

DNT is about HTTP tracking of users from sites that might be trusted to sites that
might not be trusted and the sharing of personally identifiable or behavioral
information collected at one site with any other site that a user would not have
expected to have deliberately provided that information.  It doesn't matter how
the data is collected or how the user is tracked -- what matters is that a user's
choice to provide data to one site does not imply that they want the same data
(or generalizations based on that data) to effect their interactions with, be
observable by, or be retained by other sites.

So, we our specifying a means for the user to express that they do not wish such
data to be retained/used by any site other than the one that they deliberately
decided to provide it to, along with a set of constraints on recipients of such
data when the DNT expression is enabled.  This requires that we distinguish
between sites that have been deliberately chosen by the user to receive the data
(a.k.a., first parties) and anyone else who just happens to receive that data
because of how browsers request, process, and render page elements provided
by the first party.  It also requires that we define the scope of a "site" as
an aspect of the user's perception of their own deliberate decision, rather than
a more technical term like domain (an artifact of DNS) or same-origin (an artifact
of web application security).

That is the technical problem we are trying to solve.  All of the input
documents state it that way, not as a salvation for privacy in general.
All of the participants at the Cambridge F2F agreed that the constraints
did not apply to non-sharing first-party sites.  The issue would have been
closed then if it were not for the minor detail that we had no definition
for "first-party" and thus couldn't reasonably resolve to an unknown.

There are many other privacy concerns that have nothing to do with DNT.
For example, how Amazon presents behavioral advertising within its own
site based on information collected on that customer within its own site.
Those settings can be controlled in the Amazon account profile, not in HTTP.
Amazon may choose, for its own business reasons, to modify its own behavior
based on the presence of DNT, but there are no requirements or expectations
in the protocol for it to do so.  They are not a privacy concern because
the user is deliberately using their services, Amazon does not share that
data with third parties AFAIK, and Amazon provides a way to edit, delete, or
disable its use for personalization and targeting.  We don't have to make
a standard for them because there is nothing in HTTP or HTML that tells a
user where they can choose to shop.

Likewise, the set of interactions that occur wholly within the Google+ or
Facebook site that represent deliberate choices by the user to make use of
those services are not a subject relevant to this WG.  We are only focusing
on cross-site interactions that are not a deliberate choice of the user.
That's how DNT has been presented in all of the original proposals and is
the basis for why companies like Adobe are participating in this process.

People who want DNT to be successful do not want it to impact deliberate
choices by the user because that will result in the same failures as
previous attempts to convince people to turn off cookies.  The only way
that features like this make sense is if it is easier to obey with
degraded service than it is to tell the user to turn DNT off first.

Whether or not Google and Youtube are considered the same site depends
on both site ownership (control) and appearance (branding).  What matters
is that the user thinks they are, or are not, the same site when providing
the data.  This is not a problem that we can solve in HTTP, nor is it a
problem that we need to solve in DNT.  The site owners need to decide
the extent of their own same-branding and thus the extent to which they
can internally share data without violating the user's expressed consent.
DNT cannot usefully define it any more than that because neither same-branding
nor same-ownership are observable within the protocol.  The user's
expectations, however, can be enforced by users or regulators by choosing
to boycott their services or more directly by filing lawsuits.  Hence,
any widening of the first-party definition is inherently governed by
real user expectations, not by anything we document within the spec.
It is in the site's best interests to obey those expectations.


Received on Wednesday, 30 November 2011 20:36:23 UTC