Re: Input to ISSUE-137 (service provider flag)

On Aug 27, 2012, at 11:50 , Roy T. Fielding <> wrote:

> As mentioned previously, I object to requiring that service providers
> acting as a first party be required to behave differently than a first
> party would, unless there is a compelling (and agreed) privacy need
> that is being protected.

Previously, we didn't have behavioral rules; as I recall, we had "obey all the rules for a 1st party" plus "silo the data to only the first party (and not even yourself)".  The privacy need is to ensure that data that is collected under (the almost empty) first party rules is, in fact, being used by a first party.

Also, perhaps there is value in *allowing but not requiring*?  Indeed, the qualifiers are intended to match the permissions in the compliance document, and since I rather expect the 'service provider/agent of 1st party' permission to survive, we'd then have a way that allowed a party to indicate they claim this permission.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Monday, 27 August 2012 19:34:33 UTC