Re: DNT:1 and "data append" from David Singer on 2013-03-19 (public-tracking@w3.org from March 2013)

From: David Singer <singer@apple.com>
Date: Tue, 19 Mar 2013 14:53:13 -0700
To: John Simpson <john@consumerwatchdog.org>
Cc: ifette@google.com, Working Group <public-tracking@w3.org>
Message-id: <4934D1EC-B07B-4DA8-A9FA-97B3D7F28AA4@apple.com>
On Mar 19, 2013, at 14:42 , John Simpson <john@consumerwatchdog.org> wrote:

> David,
> 
> As I understand it, some sites take the data they have gathered as a 1st party and append to it data that they have obtained elsewhere -- perhaps from a data broker.  I'm saying that as a user I expect to engage with a 1st party site.  I understand that the site will gather data about my visit there.  What I would not expect with DNT:1 is that the 1st party site would go elsewhere to obtain data and "append" it to the information about my visit to the site.
> 
> Does that make sense?

getting there!

so, examples of data that the 1st party might gather in addition might help:

* take your IP address and infer a geographic location, and record that
* take the geographic location and the time, and record the time-of-day of the transaction in your local timezone
* consult with their advertisers and include an ad with the product you bought ('what has John shown interest in recently?')
* look up your public records about where you live, your family etc., and suggest you buy a birthday gift for your son's upcoming birthday…

can you give better examples?


> 
> Best,
> John
> 
> 
> On Mar 19, 2013, at 1:55 PM, David Singer <singer@apple.com> wrote:
> 
>> Yes, I get that, but the example given of FedEx doesn't make sense to me.  DNT is about the communication between users (and their user-agents) and sites/servers.  Unless FedEx were *also* a 3rd party on the 1st party site, then what the first communicates to them (or anyone else, including posterity in their memoirs) is a concern for the privacy policy, not DNT.
>> 
>> 'Data append' doesn't give me enough … um … data … about who wants to append what data to what other data.
>> 
>> Is this about the data a 1st party site sees, and appending to previously collected data as a 1st party?  (If DNT:1 is set, then there isn't any previous 3rd party data).  If so, I can't see any reason for a set of rules, or a set that would work.
>> 
>> Is this about data a 3rd party site sees, and it has data collected as a 1st party?  The rules are fairly clear, I think, on that also.
>> 
>> Is this about data that the 1st party sees, and passes to a 3rd party for them to add?  The rules seem clear on both the passing and the retention there, also.
>> 
>> Someone clue me in what the question/scenario is?
>> 
>> On Mar 19, 2013, at 10:04 , Ian Fette (イアンフェッティ) <ifette@google.com> wrote:
>> 
>>> David,
>>> 
>>> John's text was explicitly proposing restrictions on first parties. ("A 1st Party MUST NOT...")
>>> 
>>> 
>>> On Mon, Mar 18, 2013 at 6:16 PM, David Singer <singer@apple.com> wrote:
>>> 
>>> On Mar 18, 2013, at 15:52 , Ian Fette (イアンフェッティ) <ifette@google.com> wrote:
>>> 
>>>> Presumably there would be some carve-outs here? E.g. if you come to my site with DNT1 and buy something with me,
>>> 
>>> then the site just became a first party (unless somehow the user can buy without knowingly interacting with the site…), and there are few rules for you...
>>> 
>>> John, can you back up a bit and remind me what the scenario is that troubles you, and then I can try to be more helpful...
>>> 
>>>> I'm going to share identifiable information with FedEx so that they can deliver your product...
>>>> 
>>>> 
>>>> On Mon, Mar 18, 2013 at 3:44 PM, John Simpson <john@consumerwatchdog.org> wrote:
>>>> Colleagues,
>>>> 
>>>> I wanted to propose some privacy friendly text that would cover the "data append" situation when DNT:1 is sent.  I think others are working on possible language,  but I wanted to make my proposed language available for consideration and discussion.
>>>> 
>>>> Normative
>>>> When DNT:1 is received:
>>>> 
>>>> -- A 1st Party MUST NOT share share identifiable data with another party.
>>>> -- A 1st Party MUST NOT combine identifiable data from another party with data it has collected while a 1st Party.
>>>> 
>>>> 
>>>> Cheers,
>>>> John
>>>> 
>>>> ---------
>>>> John M. Simpson
>>>> Privacy Project Director
>>>> Consumer Watchdog
>>>> 2701 Ocean Park Blvd., Suite 112
>>>> Santa Monica, CA, 90405
>>>> Tel: 310-392-7041
>>>> Cell: 310-292-1902
>>>> www.ConsumerWatchdog.org
>>>> john@consumerwatchdog.org
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 19 March 2013 21:53:41 UTC