- From: David Singer <singer@apple.com>
- Date: Wed, 09 Jan 2013 09:24:30 -0800
- To: Tracking Protection Working Group <public-tracking@w3.org>
Cool, now I understand something, but after Roy's and Shane's emails, I also understand that this is a different issue. :-( For *this* one, it seems that clickclick.com is under a simultaneous service-provider relationship with more than one other party, which we can't currently represent. I hope this isn't a major issue we have to address for v1, but if we do, we should open a separate issue, it seems. On Jan 9, 2013, at 6:52 , "Dobbs, Brooks" <brooks.dobbs@kbmg.com> wrote: > David, > > Let me suggest a common example that illustrates the complexity you are > looking for. Imagine a service provider, clickclick.com, who provides > services for both publishers and advertisers and runs an exchange. All > these services could happen from a single call; all using the same cookie > and same backend but resulting in independent controllers of data. The > advantages to this should be obvious. By removing redirects all parties > concerned with financials: the publisher selling the inventory, the > exchange intermediating the sale and the advertiser buying the inventory > all deal off of the same numbers. No redirects means no counting > differentials. If the publisher sees 12,461,211 sold to the Exchange the > exchange sees 12,461,211 purchased and the sum seen by the advertisers > will add up to the same. Same cookie means agreement on R&F and other > cookie based measurement. Here however data from the same HTTP > transaction may be (or may not be) controlled/owned by multiple parties. > Depending on the exact nature of the contracts as between > clickclick<->publisher, publisher<->advertiser(s), > advertisers<->exchange(clickclick), etc. There are many possible > permutations as to just how independent a collectors rights may be. > > -Brooks > > > > -- > > Brooks Dobbs, CIPP | Chief Privacy Officer | KBM Group | Part of the > Wunderman Network > (Tel) 678 580 2683 | (Mob) 678 492 1662 | kbmg.com > brooks.dobbs@kbmg.com > > > > This email including attachments may contain confidential information. > If you are not the intended recipient, > do not copy, distribute or act on it. Instead, notify the sender > immediately and delete the message. > > > > On 1/8/13 8:06 PM, "David Singer" <singer@apple.com> wrote: > >> >> On Jan 8, 2013, at 16:59 , "Roy T. Fielding" <fielding@gbiv.com> wrote: >> >>> The issue is joint data controllers. It is impossible to >>> express that in the protocol currently, and it cannot be >>> discovered otherwise. >>> >>> .Roy >> >> OK, I am looking at definitions on the web, for example >> "http://www.out-law.com/en/articles/2012/april/level-of-expertise-key-fact >> or-in-determining-whether-processor-is-also-controller-of-personal-data-ic >> o-says/". In what circumstances can this arise for us? I am not seeing >> it. >> >> If the user 'intends to visit' example.com, and example.com has a service >> provider provider.com under a service agreement, then the SP identifies >> either as part of example.com, or as an SP to example.com (we covered >> this already). Provider.com is not a joint DC under these terms because >> they have no independent rights to the data; they are a data processor, >> not joint DC. >> >> The guidance says "Where the service provider is either given >> considerable flexibility or independence in determining how to satisfy >> the clientıs broad instructions or is providing the service in accordance >> with externally-imposed professional or ethical standards, he will be >> acting as a joint data controller, rather than a data processor, in >> relation to the service data," >> >> Now, how can this occur in our context? Does provider.com have >> independent rights to collect data, or not? If so, they are an >> independent first or third party; if not, they are a data processor, no? >> >>> >>> On Jan 8, 2013, at 4:20 PM, David Singer wrote: >>> >>>> I am somewhat puzzled by what the issue is. >>>> >>>> If there are sites that build in content from multiple parties, and >>>> the user expected them to be first parties -- or they are anyway -- >>>> they say so in their response header and/or well-known resource. >>>> >>>> If there are sites that build content from multiple servers that are >>>> all the same party, they can say that in the well-known resource >>>> (same-party). >>>> >>>> What doesn't work, or isn't clear, already? >>>> >>>> >>>> On Jan 8, 2013, at 7:53 , Tracking Protection Working Group Issue >>>> Tracker <sysbot+tracker@w3.org> wrote: >>>> >>>>> tracking-ISSUE-190: Sites with multiple first parties [Tracking >>>>> Preference Expression (DNT)] >>>>> >>>>> http://www.w3.org/2011/tracking-protection/track/issues/190 >>>>> >>>>> Raised by: Matthias Schunter >>>>> On product: Tracking Preference Expression (DNT) >>>>> >>>>> Address how multiple first parties can be expressed in tracking >>>>> status representation >>>>> >>>>> >>>>> >>>> >>>> David Singer >>>> Multimedia and Software Standards, Apple Inc. >>>> >>>> >>> >> >> David Singer >> Multimedia and Software Standards, Apple Inc. >> >> > David Singer Multimedia and Software Standards, Apple Inc.
Received on Wednesday, 9 January 2013 17:25:35 UTC