Re: alternative to party and outsourcing definitions


You've made it clear on a number of occasions that Adobe, one of the largest service providers on the web, wants: 1) to be treated as a first party, and 2) to not have to identify itself as a service provider.  Please don't bury those views in a critique of drafting.


On Wednesday, October 3, 2012 at 12:31 AM, Roy T. Fielding wrote:

> On Oct 2, 2012, at 1:09 PM, Jonathan Mayer wrote:
> > What's the "rabbit hole" this text spares us from?  In my reading it roughly tracks where the Compliance document currently stands, save considering service providers to be part of the first party.
> The spec is focused on the party as a legal entity (or group of
> entities under common ownership) and assumes that the legal
> entity operates a website that is determined by inference to
> be the first party.  Service providers are grafted on top of that.
> The rest of the spec is then strewn with requirements that are
> based on party and first party being allowed to do certain
> things and not do other things, most of which contradict the
> service provider definition and don't take into account the
> need for sharing within the entire group.
> That's a rabbit hole.  We have already spent a year exploring it
> and made zero progress.
> The user doesn't care about ownership.  They care about data flow.
> It doesn't matter how many companies, contractors, outsourcers,
> consultants, and general busy bodies are active on a site; what
> matters is who is responsible for control of the data and the
> scope in which it can be retained/used/shared.
> A typical large website consists of dozens of contractors working
> on behalf of the site owner.  In many cases, the contractors are
> split across multiple continents.  Since most of them will be
> working under SLAs, they will be logging information about whatever
> they are responsible for on the site and dynamically adjusting
> behavior based on that information.  When sh*t happens, all of the
> people involved in running a site will be sharing their observations
> and doing whatever it takes to get things right again.
> Even companies that wholly own and operate their systems will
> occasionally contract with marketing consultants to look at the
> data they have and advise them on better ways to reach their
> audience (under confidentiality restraints, of course).
> Likewise for traditional audits.  These are not difficult concepts,
> but the way in which the spec is focused completely fails to
> support them.
> The user just sees a brand, usually associated with a domain name,
> and doesn't care whether the operators are employees of the owner
> or merely working on a contract.  They do (or at least should) care
> about confidentiality and where their data can be used.  Thus, we
> can and should define the first party as a group, with one entity
> being the data controller (or multiple being joint controllers)
> and then focus on the data flow after that.
> ....Roy 

Received on Wednesday, 3 October 2012 14:10:31 UTC