Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)]

You're saying that when I visit att.yahoo.com, I am knowingly and intentionally interacting with two legal entities (AT&T and Yahoo!), and that they both have first-party status and rights on this single site?


On Jan 9, 2013, at 9:15 , Shane Wiley <wileys@yahoo-inc.com> wrote:

> att.yahoo.com (is one example of a multi-first party / co-controller scenario).
> 
> - Shane
> 
> -----Original Message-----
> From: Roy T. Fielding [mailto:fielding@gbiv.com] 
> Sent: Wednesday, January 09, 2013 10:12 AM
> To: Dobbs, Brooks
> Cc: David Singer; Tracking Protection Working Group
> Subject: Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)]
> 
> No, that is not what we are talking about.
> 
> Multiple first parties occur when two different brands exist on the same site, like att.yahoo.net (or was that yahoo.att.net?) with the clear understanding that users are interacting with both companies when providing data to that site.  There are other potential cases of "joint data controllers" in the EU sense, but the one we are trying to solve here is the multiple first party problem.
> 
> ....Roy
> 
> On Jan 9, 2013, at 6:52 AM, Dobbs, Brooks wrote:
> 
>> David,
>> 
>> Let me suggest a common example that illustrates the complexity you 
>> are looking for.  Imagine a service provider, clickclick.com, who 
>> provides services for both publishers and advertisers and runs an 
>> exchange.  All these services could happen from a single call; all 
>> using the same cookie and same backend but resulting in independent 
>> controllers of data.  The advantages to this should be obvious.  By 
>> removing redirects all parties concerned with financials: the 
>> publisher selling the inventory, the exchange intermediating the sale 
>> and the advertiser buying the inventory all deal off of the same 
>> numbers.  No redirects means no counting differentials. If the 
>> publisher sees 12,461,211 sold to the Exchange the exchange sees 
>> 12,461,211 purchased and the sum seen by the advertisers will add up 
>> to the same.  Same cookie means agreement on R&F and other cookie 
>> based measurement.  Here however data from the same HTTP transaction may be (or may not be) controlled/owned by multiple parties.
>> Depending on the exact nature of the contracts as between 
>> clickclick<->publisher, publisher<->advertiser(s), 
>> advertisers<->exchange(clickclick), etc.  There are many possible 
>> permutations as to just how independent a collectors rights may be.
>> 
>> -Brooks
>> 
>> 
>> 
>> --
>> 
>> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the 
>> Wunderman Network
>> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com 
>> brooks.dobbs@kbmg.com
>> 
>> 
>> 
>> This email ­ including attachments ­ may contain confidential information.
>> If you are not the intended recipient, do not copy, distribute or act 
>> on it. Instead, notify the sender immediately and delete the message.
>> 
>> 
>> 
>> On 1/8/13 8:06 PM, "David Singer" <singer@apple.com> wrote:
>> 
>>> 
>>> On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <fielding@gbiv.com> wrote:
>>> 
>>>> The issue is joint data controllers.  It is impossible to express 
>>>> that in the protocol currently, and it cannot be discovered 
>>>> otherwise.
>>>> 
>>>> Š.Roy
>>> 
>>> OK, I am looking at definitions on the web, for example 
>>> "http://www.out-law.com/en/articles/2012/april/level-of-expertise-key
>>> -fact 
>>> or-in-determining-whether-processor-is-also-controller-of-personal-da
>>> ta-ic o-says/".  In what circumstances can this arise for us?  I am 
>>> not seeing it.
>>> 
>>> If the user 'intends to visit' example.com, and example.com has a 
>>> service provider provider.com under a service agreement, then the SP 
>>> identifies either as part of example.com, or as an SP to example.com 
>>> (we covered this already).  Provider.com is not a joint DC under 
>>> these terms because they have no independent rights to the data; they 
>>> are a data processor, not joint DC.
>>> 
>>> The guidance says "Where the service provider is either given 
>>> considerable flexibility or independence in determining how to 
>>> satisfy the clientıs broad instructions or is providing the service 
>>> in accordance with externally-imposed professional or ethical 
>>> standards, he will be acting as a joint data controller, rather than 
>>> a data processor, in relation to the service data,"
>>> 
>>> Now, how can this occur in our context?  Does provider.com have 
>>> independent rights to collect data, or not?  If so, they are an 
>>> independent first or third party; if not, they are a data processor, no?
>>> 
>>>> 
>>>> On Jan 8, 2013, at 4:20 PM, David Singer wrote:
>>>> 
>>>>> I am somewhat puzzled by what the issue is.
>>>>> 
>>>>> If there are sites that build in content from multiple parties, and 
>>>>> the user expected them to be first parties -- or they are anyway -- 
>>>>> they say so in their response header and/or well-known resource.
>>>>> 
>>>>> If there are sites that build content from multiple servers that 
>>>>> are all the same party, they can say that in the well-known 
>>>>> resource (same-party).
>>>>> 
>>>>> What doesn't work, or isn't clear, already?
>>>>> 
>>>>> 
>>>>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue 
>>>>> Tracker <sysbot+tracker@w3.org> wrote:
>>>>> 
>>>>>> tracking-ISSUE-190: Sites with multiple first parties  [Tracking 
>>>>>> Preference Expression (DNT)]
>>>>>> 
>>>>>> http://www.w3.org/2011/tracking-protection/track/issues/190
>>>>>> 
>>>>>> Raised by: Matthias Schunter
>>>>>> On product: Tracking Preference Expression (DNT)
>>>>>> 
>>>>>> Address how multiple first parties can be expressed in tracking 
>>>>>> status representation
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> David Singer
>>>>> Multimedia and Software Standards, Apple Inc.
>>>>> 
>>>>> 
>>>> 
>>> 
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>> 
>>> 
>> 
>> 
> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 9 January 2013 17:21:21 UTC