- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 3 Oct 2012 00:31:45 -0700
- To: Jonathan Mayer <jmayer@stanford.edu>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <73AFD8D5-1266-45DE-ABA0-0A8B518F3578@gbiv.com>
On Oct 2, 2012, at 1:09 PM, Jonathan Mayer wrote: > What's the "rabbit hole" this text spares us from? In my reading it roughly tracks where the Compliance document currently stands, save considering service providers to be part of the first party. The spec is focused on the party as a legal entity (or group of entities under common ownership) and assumes that the legal entity operates a website that is determined by inference to be the first party. Service providers are grafted on top of that. The rest of the spec is then strewn with requirements that are based on party and first party being allowed to do certain things and not do other things, most of which contradict the service provider definition and don't take into account the need for sharing within the entire group. That's a rabbit hole. We have already spent a year exploring it and made zero progress. The user doesn't care about ownership. They care about data flow. It doesn't matter how many companies, contractors, outsourcers, consultants, and general busy bodies are active on a site; what matters is who is responsible for control of the data and the scope in which it can be retained/used/shared. A typical large website consists of dozens of contractors working on behalf of the site owner. In many cases, the contractors are split across multiple continents. Since most of them will be working under SLAs, they will be logging information about whatever they are responsible for on the site and dynamically adjusting behavior based on that information. When sh*t happens, all of the people involved in running a site will be sharing their observations and doing whatever it takes to get things right again. Even companies that wholly own and operate their systems will occasionally contract with marketing consultants to look at the data they have and advise them on better ways to reach their audience (under confidentiality restraints, of course). Likewise for traditional audits. These are not difficult concepts, but the way in which the spec is focused completely fails to support them. The user just sees a brand, usually associated with a domain name, and doesn't care whether the operators are employees of the owner or merely working on a contract. They do (or at least should) care about confidentiality and where their data can be used. Thus, we can and should define the first party as a group, with one entity being the data controller (or multiple being joint controllers) and then focus on the data flow after that. ....Roy
Received on Wednesday, 3 October 2012 07:32:06 UTC