- From: Rob van Eijk <rob@blaeu.com>
- Date: Sun, 10 Jun 2012 19:20:04 +0200
- To: <public-tracking@w3.org>
>> In this sense, the browser's > servers are more like ISPs --- they functionally have to receive the > information to operate, but they're also not the end party with which > the user is trying to communicate, and a user with DNT on (or > otherwise!) might not want and expect the company to building > profiles > and/or retaining information about their browsing habits. If the browser calls home (e.g. mozilla crash reporting), or for example speeds up the web experience by caching in the cloud (e.g. opera turbo), this is all processing for which the browser manufacturer is responsible. Because the purpose and means of these informations flows are determined by the browser manufacturer, he is a Controller in the EU. Similar is a Browser manufacturer is a Controller when he builds profiles and/or retains information about browsing habits of users when information flows hit his browser's servers. Another interesting use case is a browser with a default search engine, that calls home ones launched by a user. Because the search module is part of the default settings of the browser, I consider both the browser and the search engine as Joint Controllers in the EU for these information flows. The value proposition of bundling the browser and the default search box is something that should be clear to the user before installation. The user must be able to make a free choice, after having been provided with clear information about the purpose of the data processing prior to calling home. The same analysis applies to other browser add-ons that call home. These will be held accountable as Joint Controllers as well. That is why we see prior and explicit opt-in for e.g. panel data of Pivacy Choice or Evidon. Having said that, I thought of the question how to pull this in DNT. The route to deal with the phenonena as first/third parties may not work. Therefor I propose an alternative route: Use normative text in the compliance document in a section on other parties. <TEXT PROPOSAL> Non normative text: There may be other parties besides first and third parties, e.g. a party not being a first or a third party is a party, in a specific network interaction, that makes the interaction possible. A browser manufacturer can have multiple roles in the modern web ecosystem. Therefor it is important to distinguish the responabilities that come with the different roles of browser manufacturers. A browser manufacturer can be a first party, eg when a user visits the homepage of the browser. A browser manufacturer can be a third party, eg when advertising with a get-my-browser button on various websites on the web. A browser manufacturer can also be an important intermediairy making network interaction possible between a user and first/third parties. Normative text: Parties that make a specific network interaction possible between first and third parties MUST not collect, use, retain and share data beyond that what is strictly necessary for the network interaction and explicitly requested by the user. </TEXT PROPOSAL> Rob PS: If there is any behavior of browser modules / add-ons that you think must be opt-in / are not transparent / lack control, let me know. Justin Brookman schreef op 2012-06-10 17:32: > We should also consider what to do about cloud-based browsers --- > browsers that route web requests through the browser company's own > servers in order to render pages more quickly and efficiently (Amazon > Fire, RIM, Opera I think all do this). In this sense, the browser's > servers are more like ISPs --- they functionally have to receive the > information to operate, but they're also not the end party with which > the user is trying to communicate, and a user with DNT on (or > otherwise!) might not want and expect the company to building > profiles > and/or retaining information about their browsing habits. In these > examples, I would consider the browser company's servers to be > third-party servers, but they may collect, use, and retain the > information per the permitted uses (which do not squarely address > this > scenario) or the two-week grace period. Not sure we need to expand > the > permitted uses, since any retention beyond two weeks should really > fall into one of the existing buckets. > >> ------------------------- >> FROM: Vincent Toubiana [mailto:v.toubiana@free.fr] >> TO: Shane Wiley [mailto:wileys@yahoo-inc.com] >> CC: Rigo Wenning [mailto:rigo@w3.org], public-tracking@w3.org >> [mailto:public-tracking@w3.org], David Singer >> [mailto:singer@apple.com], Tom Lowenthal [mailto:tom@mozilla.com], >> TOUBIANA, VINCENT (VINCENT) >> [mailto:Vincent.Toubiana@alcatel-lucent.com] >> SENT: Sun, 10 Jun 2012 09:52:40 -0400 >> SUBJECT: Re: Considering browser vendor as a third party >> >> Shane, >> >> I believe Justin explanation on this point makes sens, we're not >> interacting *with* the browser, we're interacting with a 1st party >> website *through* the browser. Hence this question might not be out >> of >> scope. >> >> Vincent >> > I agree the question is a valid one. But as the group has already >> discussed "meaningful interaction" as a condition to move a widget >> from a 3rd party context to a 1st party context, why wouldn't that >> apply in this case? If you agree, then web browsers would be >> considered 1st parties and are largely out of scope for the TPWG >> specification. >> > >> > - Shane >> > >> > -----Original Message----- >> > From: Rigo Wenning [mailto:rigo@w3.org [1]] >> > Sent: Friday, June 08, 2012 12:52 PM >> > To: public-tracking@w3.org [2] >> > Cc: David Singer; Tom Lowenthal; TOUBIANA, VINCENT (VINCENT) >> > Subject: Re: Considering browser vendor as a third party >> > >> > On Thursday 07 June 2012 14:44:37 David Singer wrote: >> >> I don't think that's the question. What is the status of the >> >> browser *vendor*'s online site? >> > Vincent raised an important question: What happens if the browser >> > phones home. I hear all saying this is out of scope and will be >> > determined by the applicable jurisdiction. Fine. But it was very >> > important to raise that question IMHO. >> > >> > Rigo >> > >> > > > > Links: > ------ > [1] mailto:rigo@w3.org > [2] mailto:public-tracking@w3.org
Received on Sunday, 10 June 2012 17:20:33 UTC