Re: tracking-ISSUE-190: Sites with multiple first parties [Tracking Preference Expression (DNT)] from David Singer on 2013-01-09 (public-tracking@w3.org from January 2013)

From: David Singer <singer@apple.com>
Date: Wed, 09 Jan 2013 09:24:30 -0800
To: Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <89D9AB7E-A6A7-427F-B167-0987E5A52122@apple.com>
Cool, now I understand something, but after Roy's and Shane's emails, I also understand that this is a different issue. :-(

For *this* one, it seems that clickclick.com is under a simultaneous service-provider relationship with more than one other party, which we can't currently represent.  I hope this isn't a major issue we have to address for v1, but if we do, we should open a separate issue, it seems.

On Jan 9, 2013, at 6:52 , "Dobbs, Brooks" <brooks.dobbs@kbmg.com> wrote:

> David,
> 
> Let me suggest a common example that illustrates the complexity you are
> looking for.  Imagine a service provider, clickclick.com, who provides
> services for both publishers and advertisers and runs an exchange.  All
> these services could happen from a single call; all using the same cookie
> and same backend but resulting in independent controllers of data.  The
> advantages to this should be obvious.  By removing redirects all parties
> concerned with financials: the publisher selling the inventory, the
> exchange intermediating the sale and the advertiser buying the inventory
> all deal off of the same numbers.  No redirects means no counting
> differentials. If the publisher sees 12,461,211 sold to the Exchange the
> exchange sees 12,461,211 purchased and the sum seen by the advertisers
> will add up to the same.  Same cookie means agreement on R&F and other
> cookie based measurement.  Here however data from the same HTTP
> transaction may be (or may not be) controlled/owned by multiple parties.
> Depending on the exact nature of the contracts as between
> clickclick<->publisher, publisher<->advertiser(s),
> advertisers<->exchange(clickclick), etc.  There are many possible
> permutations as to just how independent a collectors rights may be.
> 
> -Brooks 
> 
> 
> 
> -- 
> 
> Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the
> Wunderman Network
> (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com
> brooks.dobbs@kbmg.com
> 
> 
> 
> This email  including attachments  may contain confidential information.
> If you are not the intended recipient,
> do not copy, distribute or act on it. Instead, notify the sender
> immediately and delete the message.
> 
> 
> 
> On 1/8/13 8:06 PM, "David Singer" <singer@apple.com> wrote:
> 
>> 
>> On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <fielding@gbiv.com> wrote:
>> 
>>> The issue is joint data controllers.  It is impossible to
>>> express that in the protocol currently, and it cannot be
>>> discovered otherwise.
>>> 
>>> Š.Roy
>> 
>> OK, I am looking at definitions on the web, for example
>> "http://www.out-law.com/en/articles/2012/april/level-of-expertise-key-fact
>> or-in-determining-whether-processor-is-also-controller-of-personal-data-ic
>> o-says/".  In what circumstances can this arise for us?  I am not seeing
>> it.
>> 
>> If the user 'intends to visit' example.com, and example.com has a service
>> provider provider.com under a service agreement, then the SP identifies
>> either as part of example.com, or as an SP to example.com (we covered
>> this already).  Provider.com is not a joint DC under these terms because
>> they have no independent rights to the data; they are a data processor,
>> not joint DC.
>> 
>> The guidance says "Where the service provider is either given
>> considerable flexibility or independence in determining how to satisfy
>> the client¹s broad instructions or is providing the service in accordance
>> with externally-imposed professional or ethical standards, he will be
>> acting as a joint data controller, rather than a data processor, in
>> relation to the service data,"
>> 
>> Now, how can this occur in our context?  Does provider.com have
>> independent rights to collect data, or not?  If so, they are an
>> independent first or third party; if not, they are a data processor, no?
>> 
>>> 
>>> On Jan 8, 2013, at 4:20 PM, David Singer wrote:
>>> 
>>>> I am somewhat puzzled by what the issue is.
>>>> 
>>>> If there are sites that build in content from multiple parties, and
>>>> the user expected them to be first parties -- or they are anyway --
>>>> they say so in their response header and/or well-known resource.
>>>> 
>>>> If there are sites that build content from multiple servers that are
>>>> all the same party, they can say that in the well-known resource
>>>> (same-party).
>>>> 
>>>> What doesn't work, or isn't clear, already?
>>>> 
>>>> 
>>>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue
>>>> Tracker <sysbot+tracker@w3.org> wrote:
>>>> 
>>>>> tracking-ISSUE-190: Sites with multiple first parties  [Tracking
>>>>> Preference Expression (DNT)]
>>>>> 
>>>>> http://www.w3.org/2011/tracking-protection/track/issues/190
>>>>> 
>>>>> Raised by: Matthias Schunter
>>>>> On product: Tracking Preference Expression (DNT)
>>>>> 
>>>>> Address how multiple first parties can be expressed in tracking
>>>>> status representation
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>> 
>>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 9 January 2013 17:25:35 UTC