Proposals for Compliance issue clean up from Mike O'Neill on 2012-11-12 (public-tracking@w3.org from November 2012)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 12 Nov 2012 09:43:52 -0000
To: <public-tracking@w3.org>
Message-ID: <02ea01cdc0ba$3a0d69a0$ae283ce0$@baycloud.com>
Rob,

This begs the question to how the data acquired by the app is associated
with a later 3rd party request. If you mean an html5 based app then then
this situation should be covered by the exception API i.e. the use gives
their consent and this is communicated to the mobile user-agent (so DNT:0 is
sent in later requests). I think trying to handle this use case by layering
further exemptions to DNT:1 will just undermine the whole process.

If you are thinking about a native app then this must be outside the remit
of the group. Would we also need to consider other out-of-band data
gathering, for instance location information gathered from face recognition
of CCTV feeds?

Mike


-----Original Message-----
From: Rob Sherman [mailto:robsherman@fb.com]
Sent: 12 November 2012 02:58
To: Aleecia M. McDonald; public-tracking@w3.org (public-tracking@w3.org)
(public-tracking@w3.org)
Subject: Re: Proposals for Compliance issue clean up

Aleecia,

I think it is premature to finalize a definition of "declared data" before
we have consensus on whether and how the concept is relevant.
Particularly, I'm not aware of any existing text in the Editors' Draft that
uses the term "declared data," and it seems that the question whether a
particular proposed definition of that term makes sense depends a lot on how
the term is going to be used.

On the substance of Shane's proposal, though, I'd suggest that it be
modified along the lines of my correspondence with Shane
(http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0310.html) to
make clear that there are situations in which information is "declared data"
even if it is not "directly and expressly supplied by a user to a party."
As described in the thread, Shane and I agreed that this concept includes a
situation in which the user authorizes sharing of information but does not
"directly and expressly suppl[y]" it.  (For example, we agreed that if you
specifically authorize an app to publish information about actions you take
within the app to your Facebook timeline (or specifically authorize Facebook
to receive that information), that information would be deemed "declared
data" as to Facebook even though it is not provided "directly" by the user
to Facebook.)



(I'm happy to work with Shane to modify his proposal to address this
concern.  Even with those modifications, before we finalize this definition
I think it's important for us to understand how, if at all, it will fit into
the draft.)

Thanks.

Rob

 

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004 office 202.370.5147 |
mobile 202.257.3901





On 11/9/12 3:04 PM, "Aleecia M. McDonald" <aleecia@aleecia.com> wrote:

>Here are places we might have straight-forward decisions. If there are 
>no responses within a week (that is, by Friday 16 November,) we will 
>adopt the proposals below.
>
>
>For issue-97 (Re-direction, shortened URLs, click analytics -- what 
>kind of tracking is this?)  with action-196, we have text with no 
>counter proposal. Unless someone volunteers to take an action to write 
>opposing text, we will close this with the action-196 text.
>	PROPOSED: We adopt the text from action-196, 
>http://lists.w3.org/Archives/Public/public-tracking/2012Jun/0106.html
>
>For issue-60 (Will a recipient know if it itself is a 1st or 3rd
>party?) we had a meeting of the minds
>(http://lists.w3.org/Archives/Public/public-tracking/2012Apr/0129.html)
>but did not close the issue. We have support for 3.5.2 Option 2, 
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.h
>tml #def-first-third-parties-opt-2, with one of the authors of 3.5.1 
>Option 1, 
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.h
>tml
>#def-first-third-parties-opt-2 accepting Option 2. There was no 
>sustained objection against Option 2 at that time. Let us find out if 
>there is remaining disagreement.
>	PROPOSED: We adopt 3.5.2 Option 2,
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.h
>tml
>#def-first-third-parties-opt-2
>
>For action-306, we have a proposed definition with accompanying 
>non-normative examples
>	PROPOSED: We adopt the text from action-306 to define declared data,

>to be added to the definitions in the Compliance document, 
>http://lists.w3.org/Archives/Public/public-tracking/2012Oct/0296.html
>	PROPOSED: We look for volunteers to take an action to write text 
>explaining when and how declared data is relevant (See the note in 
>6.1.2.3, 
>http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.h
>tml
>#first-party-data) to address issue-64
>
>	Aleecia
Received on Monday, 12 November 2012 09:44:27 UTC