Re: issues 23 and 34, happy new year's initial text for all...

The use of tools for analytics, internal operations, and user targeting, in my opinion, are often integrated.  While I agree that sites must need to engage in ad delivery verification and collect in aggregate, etc., many analytic techniques are part of the profiled targeting paradigm.  Drawing the proper line that can help respect the DNT signal is something I am trying to clarify.  When a site is using Adobe Omniture, for example, and there is an integrated set of analytic, tracking and targeting tools, what is the proper way to define the distinctions.  

Many thanks,

Jeff


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org
www.digitalads.org
202-986-2220

On Jan 4, 2012, at 11:22 AM, Sean Harvey wrote:

> Hi Jeff, I don't think allowing a first party access to third party data in a DNT context is the spirit of what is trying to be documented here. Can you elaborate on what portions of the text appear to authorize use of third party data by the first party? 
> 
> Correct me if I'm wrong but I believe the intent of the drafters is to allow first parties to use third party software tools to manage their site, not third party data to customize user experience. 
> 
> 
> 
> On Wed, Jan 4, 2012 at 11:19 AM, Jeffrey Chester <jeff@democraticmedia.org> wrote:
> There are third party data and third party data, as you know.  For a First Party to have unfettered access to Third Party Tracking data, such as provided by eXelate or dozens of other similar firms, would seem to me to undermine the spirit of a DNT regime.  Especially if that First Party later uses such data as part of profile based targeting or auction sales.
> 
> 
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org
> www.digitalads.org
> 202-986-2220
> 
> On Jan 4, 2012, at 10:46 AM, Shane Wiley wrote:
> 
>> Jeff,
>>  
>> Your comments would suggest you don’t support a 1st party exemption to DNT for information that is collected on their website and only used on their website.  I thought we, as a group, had moved beyond this part of this discussion (1st Party Exemption).
>>  
>> Issue 23 simply attempts to call-out the scenario of where a 3rd party is acting purely for the benefit of a 1st party with no independents rights or uses of the information allowed.  For example, if WebSiteAnalyticsVendor is tracking site usage (pages viewed, navigation links used, etc.) for WebSitePublisherABC – and they only convey this information to WebSitePublisherABC and use it for no other purpose, then this fundamental business operation should be able to survive the DNT signal.
>>  
>> - Shane
>>  
>> From: Jeffrey Chester [mailto:jeff@democraticmedia.org] 
>> Sent: Wednesday, January 04, 2012 8:38 AM
>> To: David Singer
>> Cc: <public-tracking@w3.org> (public-tracking@w3.org)
>> Subject: Re: issues 23 and 34, happy new year's initial text for all...
>>  
>> The proposal for Issue 23 potentially creates a scenario where a users intention for DNT could be undermined by allowing a "third party site...operate as a first party."  A user who doesn't want to be tracked should not have to deal with such a proposed exemption.  Even if the specs as proposed applied, the use of outside tracking related data by a First Party without user consent is an insufficient safeguard.
>>  
>> As for aggregate analytics, I agree such data is required.  But we should discuss what signals are required to ensure such analytics are not used for profile based targeting/profile/network user sales.  
>>  
>> Best to all for the New Year.
>>  
>> Jeff
>>  
>>  
>> Center for Digital Democracy
>> 1621 Connecticut Ave, NW, Suite 550
>> Washington, DC 20009
>> www.democraticmedia.org
>> www.digitalads.org
>> 202-986-2220
>>  
>> On Jan 3, 2012, at 6:18 PM, David Singer wrote:
>> 
>> 
>> Issue number: 23
>>  
>>  
>> Issue name: Possible exemption for analytics
>> Suggested retitle: Possible exemption for outsourcing
>>  
>> Issue URL:
>>   http://www.w3.org/2011/tracking-protection/track/issues/23
>>  
>> Section number in the FPWD: 3.4 Types of Tracking
>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>  
>> Specification:
>> A third-party site may operate as a first-party site if all the following conditions hold:
>> 1.        the data collection, retention, and use, complies with at least the requirements for first-parties;
>> 2.        the data collected is available only to the first party, and the third party has no independent right to use the data;
>> 3.        the third party makes commitments to adhere to this standard in a form that is legally enforceable (directly or indirectly) by the first party, individual users, and regulators; data retention by the third party must not survive the end of this legal enforceability;
>> 4.        the third party undertakes reasonable technical precautions to prevent collecting data that could be correlated across first parties.
>>  
>> Non-normative Discussion:
>> The rationale for rule (2) is that we allow the third party to stand in the first party’s shoes – but go no further.  The third party may not use the data it collects for “product improvement,” “aggregate analytics,” or any other purpose except to fulfill a request by a first party, where the results are shared only with the first party.
>>  
>> Rule (3) allows for the possibility of more than one level of outsourcing.
>>  
>> In rule (4), one component of reasonable technical precautions will often be using the same-origin policy to segregate information for each first-party customer.
>>  
>> Note that any data collected by the third party that is used, or may be used, in any way by any party other than the first party, is subject to the requirements for third parties.
>>  
>> Example:
>> ExampleAnalytics collects analytic data for ExampleProducts Inc..  It operates a site under the DNS analytics.exampleproducts.com. It collects and analyzes data on visits to ExampleProducts, and provides that data solely to ExampleProducts, and does not access or use it itself.
>>  
>> Text that possibly belongs in other sections:
>> When the third party sends a response header, that header must indicate that that they are a third party and that they are operating under this exception.
>> Note that a third party that operates under a domain name or other arrangement that makes it appear to the user as if they are the first party, or a part or affiliate of the first party, is nonetheless a third party and is subject to the requirements of this clause ("DNS masquerading").
>>  
>>  
>>  
>> Issue number: 34
>> Issue name: Possible exemption for aggregate analytics
>> Suggested retitle: Possible exemption for unidentifiable data
>>  
>> Issue URL:
>>   http://www.w3.org/2011/tracking-protection/track/issues/34
>>  
>> Section number in the FPWD: 3.4 Types of Tracking
>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>  
>> Specification:
>> A third party may collect, retain, and use any information from a user or user agent that, with high probability, could not be used to:
>> 1) identify or nearly identify a user or user agent; or
>> 2) correlate the activities of a user or user agent across multiple network interactions.
>>  
>> Examples:
>> 1. A third-party advertising network records the fact that it displayed an ad. 
>> 2. A third-party analytics service counts the number of times a popular page was loaded.
>>  
>> Non-Normative Discussion:
>> This exception (like all exceptions) may not be combined with other exceptions unless specifically allowed.  A third party acting within the outsourcing exception, for example, may not make independent use of the data it has collected even though the use involves unidentifiable data.  A rule to the contrary would provide a perverse incentive for third parties to press all exceptions to the limit and then use the collected data within this exception.
>> A potential ‘safe harbor’ under this clause could be to retain only aggregate counts, not per-transaction records.
>>  
>> Text that possibly belongs elsewhere:
>> Possible advances in de-anonymization that make previously non-identifiable data, identifiable, should be considered.  
>> [Maybe need an issue: whose problem is it when data from disparate sources, all but one of which are anonymous, is combined to achieve de-anonymization?]
>>  
>>  
>>  
>>  
>>  
> 
> 
> 
> 
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com

Received on Wednesday, 4 January 2012 16:28:52 UTC