Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)] from Roy T. Fielding on 2013-01-09 (public-tracking@w3.org from January 2013)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 9 Jan 2013 09:11:38 -0800
To: "Dobbs, Brooks" <Brooks.Dobbs@kbmg.com>
Cc: David Singer <singer@apple.com>, Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <CD48FFD6-6103-482E-8479-7C64DBFD45B5@gbiv.com>
No, that is not what we are talking about.

Multiple first parties occur when two different brands exist on the
same site, like att.yahoo.net (or was that yahoo.att.net?) with the
clear understanding that users are interacting with both companies
when providing data to that site.  There are other potential cases
of "joint data controllers" in the EU sense, but the one we are
trying to solve here is the multiple first party problem.

....Roy

On Jan 9, 2013, at 6:52 AM, Dobbs, Brooks wrote:

> David,
> 
> Let me suggest a common example that illustrates the complexity you are
> looking for.  Imagine a service provider, clickclick.com, who provides
> services for both publishers and advertisers and runs an exchange.  All
> these services could happen from a single call; all using the same cookie
> and same backend but resulting in independent controllers of data.  The
> advantages to this should be obvious.  By removing redirects all parties
> concerned with financials: the publisher selling the inventory, the
> exchange intermediating the sale and the advertiser buying the inventory
> all deal off of the same numbers.  No redirects means no counting
> differentials. If the publisher sees 12,461,211 sold to the Exchange the
> exchange sees 12,461,211 purchased and the sum seen by the advertisers
> will add up to the same.  Same cookie means agreement on R&F and other
> cookie based measurement.  Here however data from the same HTTP
> transaction may be (or may not be) controlled/owned by multiple parties.
> Depending on the exact nature of the contracts as between
> clickclick<->publisher, publisher<->advertiser(s),
> advertisers<->exchange(clickclick), etc.  There are many possible
> permutations as to just how independent a collectors rights may be.
> 
> -Brooks 
> 
> 
> 
> -- 
> 
> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
> Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
> brooks.dobbs@kbmg.com
> 
> 
> 
> This email  including attachments  may contain confidential information.
> If you are not the intended recipient,
> do not copy, distribute or act on it. Instead, notify the sender
> immediately and delete the message.
> 
> 
> 
> On 1/8/13 8:06 PM, "David Singer" <singer@apple.com> wrote:
> 
>> 
>> On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <fielding@gbiv.com> wrote:
>> 
>>> The issue is joint data controllers.  It is impossible to
>>> express that in the protocol currently, and it cannot be
>>> discovered otherwise.
>>> 
>>> Š.Roy
>> 
>> OK, I am looking at definitions on the web, for example
>> "http://www.out-law.com/en/articles/2012/april/level-of-expertise-key-fact
>> or-in-determining-whether-processor-is-also-controller-of-personal-data-ic
>> o-says/".  In what circumstances can this arise for us?  I am not seeing
>> it.
>> 
>> If the user 'intends to visit' example.com, and example.com has a service
>> provider provider.com under a service agreement, then the SP identifies
>> either as part of example.com, or as an SP to example.com (we covered
>> this already).  Provider.com is not a joint DC under these terms because
>> they have no independent rights to the data; they are a data processor,
>> not joint DC.
>> 
>> The guidance says "Where the service provider is either given
>> considerable flexibility or independence in determining how to satisfy
>> the client¹s broad instructions or is providing the service in accordance
>> with externally-imposed professional or ethical standards, he will be
>> acting as a joint data controller, rather than a data processor, in
>> relation to the service data,"
>> 
>> Now, how can this occur in our context?  Does provider.com have
>> independent rights to collect data, or not?  If so, they are an
>> independent first or third party; if not, they are a data processor, no?
>> 
>>> 
>>> On Jan 8, 2013, at 4:20 PM, David Singer wrote:
>>> 
>>>> I am somewhat puzzled by what the issue is.
>>>> 
>>>> If there are sites that build in content from multiple parties, and
>>>> the user expected them to be first parties -- or they are anyway --
>>>> they say so in their response header and/or well-known resource.
>>>> 
>>>> If there are sites that build content from multiple servers that are
>>>> all the same party, they can say that in the well-known resource
>>>> (same-party).
>>>> 
>>>> What doesn't work, or isn't clear, already?
>>>> 
>>>> 
>>>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue
>>>> Tracker <sysbot+tracker@w3.org> wrote:
>>>> 
>>>>> tracking-ISSUE-190: Sites with multiple first parties  [Tracking
>>>>> Preference Expression (DNT)]
>>>>> 
>>>>> http://www.w3.org/2011/tracking-protection/track/issues/190
>>>>> 
>>>>> Raised by: Matthias Schunter
>>>>> On product: Tracking Preference Expression (DNT)
>>>>> 
>>>>> Address how multiple first parties can be expressed in tracking
>>>>> status representation
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>> 
>>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 
>
Received on Wednesday, 9 January 2013 17:12:03 UTC