W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: issues 23 and 34, happy new year's initial text for all...

From: Haakon Bratsberg <haakon.bratsberg@opera.com>
Date: Mon, 9 Jan 2012 22:47:21 +0100
Cc: Rigo Wenning <rigo@w3.org>, public-tracking@w3.org, David Singer <singer@apple.com>
Message-Id: <FE48D5BF-54E0-4029-A0E4-C31E69137615@opera.com>
To: Jonathan Mayer <jmayer@stanford.edu>

On Jan 9, 2012, at 9:58 PM, Jonathan Mayer wrote:

> With the caveat that I'm certainly no expert on EU data protection law: I believe David's text may go a bit further than the "data processor" limitations by requiring a greater set of legal and technical precautions.

That's possible. Nevertheless, they are along the same lines and I think it is i a good starting point to frame the outsourcing exception. 

That said, I'm a bit skeptical about trying to align this work _too_ much with both US, Canadian and EU privacy laws. DNT must make sense in relating to applicable laws = the DNT signal and compliance to it must in a meaningful way address the raised privacy concerns while being based on how the web actual works. 

Haakon


> 
> Jonathan
> 
> On Jan 9, 2012, at 12:14 PM, Haakon Bratsberg wrote:
> 
>> 
>> On Jan 9, 2012, at 5:59 PM, Rigo Wenning wrote:
>> 
>>> David, 
>>> 
>>> I like your suggestion. We should ask Rob about it as I think the restrictions 
>>> even match the definition of a data processor under the EU Directive, thus 
>>> giving the entire responsibility to the first party (data controller in EU 
>>> talk)
>> 
>> I agree that the restrictions is close the definition of "processor" in EU privacy law. 
>> 
>> Directive 95/46/EC Section 2 e) of the  reads: 
>> 
>>> 'processor' shall mean a natural or legal person, public authority, agency or any
>>> other body which processes personal data on behalf of the controller;"
>> 
>>    <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML>
>> 
>> David's text reflects the limitations on the processor's ability to process the data that follows from EU privacy law. 
>> 
>> Haakon
>> 
>> 
>>> 
>>> Can we resolve?
>>> 
>>> Rigo 
>>> 
>>> On Tuesday 03 January 2012 15:18:30 David Singer wrote:
>>>> Issue number: 23
>>>> 
>>>> Issue name: Possible exemption for analytics
>>>> Suggested retitle: Possible exemption for outsourcing
>>>> 
>>>> Issue URL:
>>>> http://www.w3.org/2011/tracking-protection/track/issues/23
>>>> 
>>>> Section number in the FPWD: 3.4 Types of Tracking
>>>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>>> 
>>>> Specification:
>>>> A third-party site may operate as a first-party site if all the following
>>>> conditions hold: the data collection, retention, and use, complies with at
>>>> least the requirements for first-parties; the data collected is available
>>>> only to the first party, and the third party has no independent right to
>>>> use the data; the third party makes commitments to adhere to this standard
>>>> in a form that is legally enforceable (directly or indirectly) by the first
>>>> party, individual users, and regulators; data retention by the third party
>>>> must not survive the end of this legal enforceability; the third party
>>>> undertakes reasonable technical precautions to prevent collecting data that
>>>> could be correlated across first parties.
>>>> 
>>>> Non-normative Discussion:
>>>> The rationale for rule (2) is that we allow the third party to stand in the
>>>> first party’s shoes – but go no further.  The third party may not use the
>>>> data it collects for “product improvement,” “aggregate analytics,” or any
>>>> other purpose except to fulfill a request by a first party, where the
>>>> results are shared only with the first party.
>>>> 
>>>> Rule (3) allows for the possibility of more than one level of outsourcing.
>>>> 
>>>> In rule (4), one component of reasonable technical precautions will often be
>>>> using the same-origin policy to segregate information for each first-party
>>>> customer.
>>>> 
>>>> Note that any data collected by the third party that is used, or may be
>>>> used, in any way by any party other than the first party, is subject to the
>>>> requirements for third parties.
>>>> 
>>>> Example:
>>>> ExampleAnalytics collects analytic data for ExampleProducts Inc..  It
>>>> operates a site under the DNS analytics.exampleproducts.com. It collects
>>>> and analyzes data on visits to ExampleProducts, and provides that data
>>>> solely to ExampleProducts, and does not access or use it itself.
>>>> 
>>>> Text that possibly belongs in other sections:
>>>> When the third party sends a response header, that header must indicate that
>>>> that they are a third party and that they are operating under this
>>>> exception. Note that a third party that operates under a domain name or
>>>> other arrangement that makes it appear to the user as if they are the first
>>>> party, or a part or affiliate of the first party, is nonetheless a third
>>>> party and is subject to the requirements of this clause ("DNS
>>>> masquerading").
>>>> 
>>>> 
>>>> 
>>>> Issue number: 34
>>>> Issue name: Possible exemption for aggregate analytics
>>>> Suggested retitle: Possible exemption for unidentifiable data
>>>> 
>>>> Issue URL:
>>>> http://www.w3.org/2011/tracking-protection/track/issues/34
>>>> 
>>>> Section number in the FPWD: 3.4 Types of Tracking
>>>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>>> 
>>>> Specification:
>>>> A third party may collect, retain, and use any information from a user or
>>>> user agent that, with high probability, could not be used to: 1) identify
>>>> or nearly identify a user or user agent; or
>>>> 2) correlate the activities of a user or user agent across multiple network
>>>> interactions.
>>>> 
>>>> Examples:
>>>> 1. A third-party advertising network records the fact that it displayed an
>>>> ad. 2. A third-party analytics service counts the number of times a popular
>>>> page was loaded.
>>>> 
>>>> Non-Normative Discussion:
>>>> This exception (like all exceptions) may not be combined with other
>>>> exceptions unless specifically allowed.  A third party acting within the
>>>> outsourcing exception, for example, may not make independent use of the
>>>> data it has collected even though the use involves unidentifiable data.  A
>>>> rule to the contrary would provide a perverse incentive for third parties
>>>> to press all exceptions to the limit and then use the collected data within
>>>> this exception. A potential ‘safe harbor’ under this clause could be to
>>>> retain only aggregate counts, not per-transaction records.
>>>> 
>>>> Text that possibly belongs elsewhere:
>>>> Possible advances in de-anonymization that make previously non-identifiable
>>>> data, identifiable, should be considered. [Maybe need an issue: whose
>>>> problem is it when data from disparate sources, all but one of which are
>>>> anonymous, is combined to achieve de-anonymization?]
>> 
>> 
> 
Received on Monday, 9 January 2012 21:48:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC