- From: Walter van Holst <walter.van.holst@xs4all.nl>
- Date: Mon, 03 Jun 2013 13:45:18 +0200
- To: <public-tracking@w3.org>
On 2013-06-03 02:42, Nicholas Doty wrote: > This makes implementation seem very challenging -- if a first party > includes third-party content (which itself includes third-party > content) and one day that third-party iframe decides to limit the news > items or other content it shows based on requiring DNT:0 consent, it > sounds like you would suggest that the first party has become > non-compliant without realizing it. Either that, or that the meaning of a claim not to be tracking has become very nebulous. Which I think is not what this group is aiming for. > Part of the confusion may be that we have used the same-party element > as a way for a site to indicate that multiple domains are actually > from the same organization; Again, my understanding of the spec may be flawed. I understood the SAME-PARTY element as a way of claiming responsibility for other parties. And as such would be very well-positioned to mesh well with the controller-processor model most data protection regimes have. > different data handling practices. I'm also not sure what a user agent > would do with that information -- if same-party indicated the > third-parties that are important to displaying content on this page, > how would it help DNT users to have that information in a > machine-readable way? It would allow for the accountability this standard relies on. If a party signals SAME-PARTY responsibility for another party, it can be registered by the UA and/or any extensions of the UA aiming at enhancing the user's privacy. > I agree with Jonathan, Rob, Roy and Chris (and perhaps you too!) Yes as a general rule I agree that a first party may make its content available under the condition of a DNT:0 signal. I could also agree that a third party, as a general rule, can make its content available under the condition of a DNT:0 signal. And I am pushing the boundaries of logic here: given the definition of a third party as "not a first party or UA" and a first party as "In a specific network interaction, a party with which the user intentionally interacts is a first party" (yes, I've simplified both of them somewhat), is difficult to understand how a user could express informed consent towards a party it by definition unintentionally interacts with. I strongly disagree that a first party's content can be made dependent under the condition of a DNT:0 signal towards third parties without taking responsibility for the data gathering and processing operations of such third parties. Because a) the third parties are interacted unintentionally with and b) the tracking across various contexts of user browsing behaviour may be disproportionate even with consent (which can at best be poorly informed). BTW, a little thought experiment: if DNT:0 represents informed consent, doesn't that make the third party by definition a first party given the interaction now has become intentional? > based on payment (pay-walls). Does it make a difference that it might > be a third-party widget that is conditioning access to the info it > displays within its widget on DNT:0 opt-in? I don't mind the third-party's requirement for DNT:0 in isolation, I do mind the first-party's implicit requirement for DNT:0 towards a third-party without signalling it properly and I also do mind the third party leveraging the first-party's content to acquire consent it otherwise might not get. One of the core compromises of this group, at least to my understanding, is to improve matters through transparency and accountability. That goes out the window as soon as we allow for situations as described in this issue. Regards, Walter
Received on Monday, 3 June 2013 11:45:54 UTC