Re: Data append?-transactional? from Alan Chapell on 2013-04-02 (public-tracking@w3.org from April 2013)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Tue, 02 Apr 2013 12:49:06 -0400
To: Shane Wiley <wileys@yahoo-inc.com>, Jeffrey Chester <jeff@democraticmedia.org>
CC: John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <CD8082C4.2E3ED%achapell@chapellassociates.com>
Seems like we've gone down one of our infamous ratholes here.

I agree that DNT should not apply to first parties' OFFLINE advertising and
content customization activities. However, I do think that if we allow
offline data to be utilized to tailor first party ONLINE advertising and
content customization activities, we are creating a significant loophole in
the DNT standard. 

We haven't heard yet from the regulators in the working group on this. Ed /
Rob  any thoughts?

I look forward to discussing tomorrow.

Alan


From:  Shane Wiley <wileys@yahoo-inc.com>
Date:  Tuesday, April 2, 2013 10:55 AM
To:  Jeffrey Chester <jeff@democraticmedia.org>
Cc:  John Simpson <john@consumerwatchdog.org>, "public-tracking@w3.org
(public-tracking@w3.org)" <public-tracking@w3.org>
Subject:  RE: Data append?-transactional?
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 02 Apr 2013 14:57:04 +0000

> Jeff,
>  
> This is a perfect example of attempting to overuse DNT to solve tangential
> privacy issues.  A user¹s decision comes with each and every page request and
> will be recognized for each of the page responses.  Attempting to stretch DNT
> to now be recognized outside of this context is inappropriate.  I understand
> the desire to use this single signal to cover all possible privacy situations
> but I would continue to recommend we avoid that approach and keep our focus
> locked in on the original intent of the working group.
>  
> - Shane
>  
> 
> From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
> Sent: Tuesday, April 02, 2013 4:58 AM
> To: Shane Wiley
> Cc: John Simpson; public-tracking@w3.org (public-tracking@w3.org)
> Subject: Re: Data append?-transactional?
>  
> Shane:
> 
>  
> 
> I don't believe the DNT signal should be considered transactional by First
> parties.  They should register that preference and operate accordingly. Users
> won't expect their DNT decisions to be temporal, fleeting, concerns.  The
> first party server should acknowledge that decision unless it receives a
> signal otherwise.  All data flow decisions should be adjusted to that choice,
> unless otherwise instructed by the user.
> 
>  
> 
>  
> 
>  
> 
>  
> 
> Jeffrey Chester
> 
> Center for Digital Democracy
> 
> 1621 Connecticut Ave, NW, Suite 550
> 
> Washington, DC 20009
> 
> www.democraticmedia.org <http://www.democraticmedia.org>
> 
> www.digitalads.org <http://www.digitalads.org>
> 
> 202-986-2220
>  
> 
> On Apr 1, 2013, at 10:47 PM, Shane Wiley wrote:
> 
> 
> John,
> 
>  
> 
> I believe I see the disconnect.  There is no responsibility for any party (1st
> or 3rd) to ³remember² a user¹s DNT setting  it is transactional  meaning it
> can change from moment to moment per each transaction (in reality I hope
> that¹s not the case but its technically possible).  So in the use case of
> offline appends, you¹re asking a 1st party to ³remember² the last DNT setting
> it received for a user and then apply that offline.  I do not agree with that
> proposal and don¹t feel it¹s appropriate to store a user¹s DNT setting on the
> Server side since this will come with each page request.  I hope this makes
> sense on both sides  that DNT is at its essence: online (real-time) and
> transactional (not a setting Servers must remember for the next transaction
> which will have a page header request of its own).  Fair?
> 
>  
> 
> - Shane
> 
>  
> 
> From: John Simpson [mailto:john@consumerwatchdog.org]
> Sent: Monday, April 01, 2013 3:50 PM
> To: Shane Wiley
> Cc: public-tracking@w3.org (public-tracking@w3.org)
> Subject: Re: Data append?
> 
>  
> 
> Shane, 
> 
>  
> 
> Thanks for responding.  Questions in line below.
> 
>  
> 
> On Mar 31, 2013, at 8:26 PM, Shane Wiley <wileys@yahoo-inc.com> wrote:
> 
> 
> 
> 
> John and Alan,
> 
>  
> 
> Thank you for taking the first pass at normative text for ³data append²
> exercises from the 1st party perspective and how these interrelate to DNT.
> 
>  
> 
> A few comments:
> 
>  
> 
> -- A 1st Party MUST NOT combine or otherwise use identifiable data received
> from another party with data it has collected while a 1st Party.
> 
>  
> 
> [I believe the DNT signal should be directed to the sender, not the recipient.
> In this case, I would expect the 3rd party to receive the signal and
> appropriate not convey information within the context of DNT.  This sentence
> should either be dropped or rewritten to focus on the sender (3rd party in
> this context).]
> 
>  
> 
> I'm sorry, I'm not sure I understand what you mean by sender and recipient.
> By sender do you mean the party that has data and "sends" it to the 1st party
> (the recipient)?  I think you're saying that the 3rd party would receive the
> DNT signal and could not send data to the 1st Party.  I believe that's true
> under the current draft of the TCS spec *IF* the sender is present on the
> website as a 3rd Party.  What I am specifically calling out is the use case
> where the "sender" (I say "another party") has no presence on the site. If
> DNT:1 is enabled, the 1st Party could not go beyond the 1st Party experience
> and request data from  another source.  It's likely the case that this other
> party would not have received a DNT:1 message, so it is necessary for the 1st
> Party to honor the request.
> 
> 
> 
> 
>  
> 
> -- A 1st Party MUST NOT share identifiable data with another party unless the
> data was provided voluntarily by the user and is necessary to complete a
> business transaction with the user.
>> 
>>  
>> 
>> [DNT is transactional.  I could see this prohibition working if the data
>> being passed occurred online in the context of the DNT signal being in the
>> header but for purely offline data matches I hope we agree this could not
>> work.  I would also struggle to understand a business case where a user has
>> ³shared identifiable data involuntarily²  could you please give an example?]
> 
>  
> 
> Why wouldn't this work with offline matches?  I used "provided voluntarily" to
> get at the idea that consent had been given.
> 
> 
>  
> 
> [Of course all of these are trumped by user consent.]
> 
>  
> 
> Agree, if it is informed consent.
> 
>  
> 
> Finally, what's your reaction to the third element:
> 
>  
> 
> A  Party MUST NOT use data gathered while a 1st Party when operating as a 3rd
> Party. 
> 
>  
> 
> Are you comfortable with that?
> 
> Regards,
> 
>  
> 
> John
>> 
>>  
>> 
>> - Shane
>> 
>>  
>> 
>> From: John Simpson [mailto:john@consumerwatchdog.org
>> <http://consumerwatchdog.org> ]
>> Sent: Sunday, March 31, 2013 8:13 PM
>> To: public-tracking@w3.org <mailto:public-tracking@w3.org>
>> (public-tracking@w3.org <mailto:public-tracking@w3.org> )
>> Subject: Data append?
>> Importance: High
>> 
>>  
>> 
>> Colleagues,
>> 
>>  
>> 
>> Alan  Chapell and I have agreed  on text that should cover the situation
>> regarding "data append" when DNT is received.  I look forward to discussing.
>> 
>>  
>> 
>> The text is below.
>> 
>>  
>> 
>> Regards,
>> 
>> John
>> 
>> ----
>> 
>>  
>> 
>> Normative: 
>> 
>> When DNT:1 is received:
>> 
>>  
>> 
>> -- A 1st Party MUST NOT combine or otherwise use identifiable data received
>> from another party with data it has collected while a 1st Party.
>> 
>> -- A 1st Party MUST NOT share identifiable data with another party unless the
>> data was provided voluntarily by the user and is necessary to complete a
>> business transaction with the user.
>> 
>> -- A  Party MUST NOT use data gathered while a 1st Party when operating as a
>> 3rd Party.
>> 
>>  
>> 
>> Non-Normative: 
>> 
>> When DNT:1 is received, a 1st Party retains the ability to customize content,
>> services, and advertising only within the context of the first party
>> experience. A 1st party takes the user interaction outside of the 1st party
>> experience if it receives identifiable data from another party and uses that
>> data for customization of content, services, or advertising.
>> 
>>  
>> 
>> When DNT:1 is received the 1st Party may continue to utilize user provided
>> data in order to complete or fulfill a user initiated business transaction
>> such as fulfilling an order for goods or a subscription.
>> 
>>  
>> 
>> When DNT:1 is received and a Party has become a 3rd Party it is interacting
>> with the user outside of the 1st Party experience.  Using data  gathered
>> while a 1st party is incompatible with interaction as a third party.
>> 
>>  
>> 
>>  
>> 
>>  
>
Received on Tuesday, 2 April 2013 17:28:54 UTC