Re: DNT:1 and "data append"

Seems like not including "data append" creates a loophole in the DNT
standard whereby:

Data collected from online sources and used for online ad targeting is
subject to DNT.
Data collected from offline sources and used for online ad targeting is NOT
subject to DNT.

Under this type of ruleset, we're simply shifting the source of ad targeting
and content customization data -- from online profiles to offline profiles.

And then there's the issue raised in Amsterdam whereby some First Parties
thought it would be ok to use data to target ads outside the four corners of
the First Party site when DNT is turned on – a position that to my
knowledge, none of the First Parties in the group have publicly backed away
from.

I look forward to discussing this next week.

Alan

From:  Jeffrey Chester <jeff@democraticmedia.org>
Date:  Tuesday, March 19, 2013 6:10 PM
To:  Chris Pedigo <CPedigo@online-publishers.org>
Cc:  "ifette@google.com" <ifette@google.com>, David Singer
<singer@apple.com>, Working Group <public-tracking@w3.org>
Subject:  Re: DNT:1 and "data append"
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Tue, 19 Mar 2013 22:11:30 +0000

> DNT should halt the practice of digital data append data chaining that is now
> the norm in the industry.  First and third parties have seamlessly integrated
> real-time and complex forms of data append--used for profiling, tracking,
> offers, etc.  DNT:1 should signal to First parties:  No append without
> informed prior consent.  Otherwise DNT will be meaningless.
> 
> 
> 
> 
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org <http://www.democraticmedia.org>
> www.digitalads.org <http://www.digitalads.org>
> 202-986-2220
> 
> On Mar 19, 2013, at 3:19 PM, Chris Pedigo wrote:
> 
>> John, I continue to have many concerns about a “data append” restriction.
>> Below, I have addressed what I perceive to be two concerns raised by
>> proponents of a Data Append restriction.  But, I am curious to know if you
>> have additional concerns or comments.
>>  
>> 1)      Concern:  In the process of a 1st party acquiring data, the 1st party
>> may inadvertently share data with a third party (namely that a DNT:1 user
>> visited the 1st party’s site).
>>  
>> I believe the standard already addresses this concern as 1st parties are
>> prohibited from sharing data with a 3rd party that it could not otherwise
>> collect for its independent use.  Indeed, many “data appends” are conducted
>> today using a double blind approach so that the 3rd party never sees the 1st
>> party data.  In some cases, the 3rd party may see the data, but it would be
>> contractually prohibited from using the data for its own use.  Thus, it could
>> qualify under the service provider provision (contract + no independent right
>> to use data).  Regardless of today’s practices, the prohibition on 1st
>> parties sharing data would address this concern.
>>  
>> 2)      Concern:  1st parties should be prohibited from building profiles
>> about its users.
>>  
>> My concern with this kind of prohibition is that it would be completely
>> inappropriate and out of scope for DNT.  In a world where 1st parties cannot
>> share data and 3rd parties cannot collect data about DNT:1 users, there are
>> only certain kinds of data sets that would remain available to be appended –
>> publicly available data, data collected with consent, off-line data and
>> pre-DNT data.  I think there is broad agreement that none of these data sets
>> should be restricted by DNT.  Moreover, we have already largely exempted 1st
>> parties from DNT, because consumers have different expectations with regard
>> to 1stparties.  They have a direct relationship with the 1st party since they
>> chose to visit the site and consumers have fundamental choices about the
>> sites they can visit (or not visit).
>>  
>> Also, let’s take this one step further – what happens after a publisher has
>> learned more about its audience?  Under the rules of DNT, it still cannot
>> share data about DNT:1 users.  So, how would a publisher use this appended
>> data set for its internal purposes?  There are a few ways it would be used –
>> 1st party marketing, audience measurement and content personalization are the
>> primary purposes.  IMO, none of these uses violate a user’s expectations.
>>  
>> In summary, I think DNT is useful because it provides a clean, easy way to
>> express a preference with regard to 3rd party data collection.  We should
>> remain focused on providing this basic functionality.
>>  
>>  
>> From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
>> Sent: Tuesday, March 19, 2013 1:05 PM
>> To: David Singer
>> Cc: Working Group
>> Subject: Re: DNT:1 and "data append"
>>  
>> David,
>>  
>> John's text was explicitly proposing restrictions on first parties. ("A 1st
>> Party MUST NOT...")
>>  
>> 
>> On Mon, Mar 18, 2013 at 6:16 PM, David Singer <singer@apple.com> wrote:
>>  
>> On Mar 18, 2013, at 15:52 , Ian Fette (イアンフェッティ) <ifette@google.com>
>> wrote:
>> 
>> 
>> Presumably there would be some carve-outs here? E.g. if you come to my site
>> with DNT1 and buy something with me,
>>  
>> then the site just became a first party (unless somehow the user can buy
>> without knowingly interacting with the site…), and there are few rules for
>> you...
>>  
>> John, can you back up a bit and remind me what the scenario is that troubles
>> you, and then I can try to be more helpful...
>> 
>> 
>> I'm going to share identifiable information with FedEx so that they can
>> deliver your product...
>>  
>> 
>> On Mon, Mar 18, 2013 at 3:44 PM, John Simpson <john@consumerwatchdog.org>
>> wrote:
>> Colleagues,
>>  
>> I wanted to propose some privacy friendly text that would cover the "data
>> append" situation when DNT:1 is sent.  I think others are working on possible
>> language,  but I wanted to make my proposed language available for
>> consideration and discussion.
>>  
>> Normative
>> When DNT:1 is received:
>>  
>> -- A 1st Party MUST NOT share share identifiable data with another party.
>> -- A 1st Party MUST NOT combine identifiable data from another party with
>> data it has collected while a 1st Party.
>>  
>>  
>> Cheers,
>> John
>>  
>> ---------
>> John M. Simpson
>> Privacy Project Director
>> Consumer Watchdog
>> 2701 Ocean Park Blvd., Suite 112
>> Santa Monica, CA, 90405
>> Tel: 310-392-7041 <tel:310-392-7041>
>> Cell: 310-292-1902 <tel:310-292-1902>
>> www.ConsumerWatchdog.org <http://www.consumerwatchdog.org/>
>> john@consumerwatchdog.org
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>>  
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>>  
>