Re: ISSUE-184

On 2013-06-03 02:42, Nicholas Doty wrote:

> This makes implementation seem very challenging -- if a first party
> includes third-party content (which itself includes third-party
> content) and one day that third-party iframe decides to limit the news
> items or other content it shows based on requiring DNT:0 consent, it
> sounds like you would suggest that the first party has become
> non-compliant without realizing it.

Either that, or that the meaning of a claim not to be tracking has 
become very nebulous. Which I think is not what this group is aiming 
for.

> Part of the confusion may be that we have used the same-party element
> as a way for a site to indicate that multiple domains are actually
> from the same organization;

Again, my understanding of the spec may be flawed. I understood the 
SAME-PARTY element as a way of claiming responsibility for other 
parties. And as such would be very well-positioned to mesh well with the 
controller-processor model most data protection regimes have.

> different data handling practices. I'm also not sure what a user agent
> would do with that information -- if same-party indicated the
> third-parties that are important to displaying content on this page,
> how would it help DNT users to have that information in a
> machine-readable way?

It would allow for the accountability this standard relies on. If a 
party signals SAME-PARTY responsibility for another party, it can be 
registered by the UA and/or any extensions of the UA aiming at enhancing 
the user's privacy.


> I agree with Jonathan, Rob, Roy and Chris (and perhaps you too!)

Yes as a general rule I agree that a first party may make its content 
available under the condition of a DNT:0 signal. I could also agree that 
a third party, as a general rule, can make its content available under 
the condition of a DNT:0 signal. And I am pushing the boundaries of 
logic here: given the definition of a third party as "not a first party 
or UA" and a first party as "In a specific network interaction, a party 
with which the user intentionally interacts is a first party" (yes, I've 
simplified both of them somewhat), is difficult to understand how a user 
could express informed consent towards a party it by definition 
unintentionally interacts with.

I strongly disagree that a first party's content can be made dependent 
under the condition of a DNT:0 signal towards third parties without 
taking responsibility for the data gathering and processing operations 
of such third parties. Because a) the third parties are interacted 
unintentionally with and b) the tracking across various contexts of user 
browsing behaviour may be disproportionate even with consent (which can 
at best be poorly informed).

BTW, a little thought experiment: if DNT:0 represents informed consent, 
doesn't that make the third party by definition a first party given the 
interaction now has become intentional?

> based on payment (pay-walls). Does it make a difference that it might
> be a third-party widget that is conditioning access to the info it
> displays within its widget on DNT:0 opt-in?

I don't mind the third-party's requirement for DNT:0 in isolation, I do 
mind the first-party's implicit requirement for DNT:0 towards a 
third-party without signalling it properly and I also do mind the third 
party leveraging the first-party's content to acquire consent it 
otherwise might not get.

One of the core compromises of this group, at least to my 
understanding, is to improve matters through transparency and 
accountability. That goes out the window as soon as we allow for 
situations as described in this issue.

Regards,

  Walter

Received on Monday, 3 June 2013 11:45:54 UTC