- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 07 Mar 2012 11:26:38 +0100
- To: public-tracking@w3.org
- Cc: Tom Lowenthal <tom@mozilla.com>
Hi all, as the discussion was inconclusive so far, let me start again: 1/ The wording must make clear that in the outsourcing scenario described in " Exception for Outsourcing" the intention is to extend the definition of first party to its providers under strict conditions. Those were written by David Singer and are in line with the EU data controler / data processor distinction. We have closed that issue and should not re-open it here. 2/ As far as I remember, this issue123 was raised in the unregulated context. And in such context, the only way to assert that somebody is lying is if there is violation of a rule. So we need a rule saying: "third parties MUST NOT pretend to be first parties". As a consequence somebody being a third party and pretending to be a first party is not compliant with the DNT system, but asserts to be. This makes follow up by regulators easier. And this is it. Justin was IMHO right to say that outsourced services under the conditions as laid out in the compliance spec are NOT third parties in the first place. This should go into the non-normative description to avoid future confusion As a consequence, I would propose the following amended paragraph while maintaining the rest of Tom's suggestion: <p>> If not covered by an exception like <a href="#TypesofTrackingOutsourcing">outsourcing</a>, a third party MUST NOT falsely represent themselves as a first party, whether using the methods of expression described in [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.</p> For the non-normative, I would add: <p> This section defines high level principles if a third party receives the [DNT- ON] header. It points to other sections for more details on what to do and what not to do. As the DNT-system distinguishes between first and third parties and as first parties are privileged, first parties can still collect certain data, even if [DNT-ON]. It is clear that a third party should not be able to pretend it is a first party in order to obtain the first party's privileges. But no principle without exception. A well-defined class of third parties who only process data on behalf of the first party is considered a first party in this Specification. In fact, third parties fulfilling all requirements from <a href="#TypesofTrackingOutsourcing">the outsourcing definition</a> can claim to be an extension from the first party and thus do not fall under the definition of third party anymore. In case those special outsourcing partners receive an HTTP request, they can claim to be part of the first party. All others are third parties and shall not pretend otherwise. </p> BTW, looking at the compliance spec, I have doubts about the numbering and also note that something has broken Opera as it doesn't produce the outline anymore. Best, Rigo On Wednesday 29 February 2012 14:48:52 Tom Lowenthal wrote: > ACTION-116 > ISSUE-123 > > Proposal: add an additional requirement to the TC document in section > 4.3. This replaces a similar provision which Matthias encouraged me to > remove from the header spec since it makes more sense in TC than TPE. > > > A third party MUST NOT falsely represent themselves as a first party, > > whether using the methods of expression described in > > [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise. > > The HTML for 4.3 (up to but not including 4.3.1) with this addition is: > > ~~~~~ > > <h3>Compliance by a third party</h3> > > <p class="note">This section consists of proposed text that is meant to > address <a > href="http://www.w3.org/2011/tracking-protection/track/issues/19">ISSUE-19</ > a> and <a > href="http://www.w3.org/2011/tracking-protection/track/issues/39">ISSUE-39</ > a> and is pending discussion and <strong>[PENDING REVIEW]</strong>.</p> > > <p>If the operator of a third-party domain receives a communication to > which a [DNT-ON] header is attached:</p> > <ol> > <li>that operator MUST NOT collect, share, or use information related to > that > communication outside of the Exceptions as defined > within this standard and any explicitly-granted Exemptions, provided in > accordance with the requirements of this standard;</li> > <li> that operator MUST NOT use information about previous communications > in which the operator was a third party, outside of the explicitly > expressed Exceptions as defined within this standard;</li> > <li> that operator [MUST NOT or SHOULD NOT] retain information about > previous communications in which the operator was a third party, outside > of the explicitly expressed Exceptions as defined within this standard.</li> > </ol> > > <p>> A third party MUST NOT falsely represent themselves as a first > party, whether using the methods of expression described in > [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.</p> > > ~~~~~
Received on Wednesday, 7 March 2012 10:27:08 UTC