Re: DNT:1 and "data append" from John Simpson on 2013-03-20 (public-tracking@w3.org from March 2013)

From: John Simpson <john@consumerwatchdog.org>
Date: Wed, 20 Mar 2013 11:36:13 -0700
To: Alan Chapell <achapell@chapellassociates.com>
Cc: Jeffrey Chester <jeff@democraticmedia.org>, Chris Pedigo <CPedigo@online-publishers.org>, "ifette@google.com" <ifette@google.com>, David Singer <singer@apple.com>, Working Group <public-tracking@w3.org>
Message-Id: <C42187E5-3BBD-4A98-9AD2-5895CF3E5E2D@consumerwatchdog.org>
I don't see how under DNT:1 data gathered as a 1st party can be used to target ads when a site is a third party. 

On Mar 20, 2013, at 6:00 AM, Alan Chapell <achapell@chapellassociates.com> wrote:

> Seems like not including "data append" creates a loophole in the DNT standard whereby:
> 
> Data collected from online sources and used for online ad targeting is subject to DNT.
> Data collected from offline sources and used for online ad targeting is NOT subject to DNT.
> 
> Under this type of ruleset, we're simply shifting the source of ad targeting and content customization data -- from online profiles to offline profiles.
> 
> And then there's the issue raised in Amsterdam whereby some First Parties thought it would be ok to use data to target ads outside the four corners of the First Party site when DNT is turned on – a position that to my knowledge, none of the First Parties in the group have publicly backed away from.
> 
> I look forward to discussing this next week.
> 
> Alan
> 
> From: Jeffrey Chester <jeff@democraticmedia.org>
> Date: Tuesday, March 19, 2013 6:10 PM
> To: Chris Pedigo <CPedigo@online-publishers.org>
> Cc: "ifette@google.com" <ifette@google.com>, David Singer <singer@apple.com>, Working Group <public-tracking@w3.org>
> Subject: Re: DNT:1 and "data append"
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Tue, 19 Mar 2013 22:11:30 +0000
> 
>> DNT should halt the practice of digital data append data chaining that is now the norm in the industry.  First and third parties have seamlessly integrated real-time and complex forms of data append--used for profiling, tracking, offers, etc.  DNT:1 should signal to First parties:  No append without informed prior consent.  Otherwise DNT will be meaningless.
>> 
>> 
>> 
>> 
>> Jeffrey Chester
>> Center for Digital Democracy
>> 1621 Connecticut Ave, NW, Suite 550
>> Washington, DC 20009
>> www.democraticmedia.org
>> www.digitalads.org
>> 202-986-2220
>> 
>> On Mar 19, 2013, at 3:19 PM, Chris Pedigo wrote:
>> 
>>> John, I continue to have many concerns about a “data append” restriction.  Below, I have addressed what I perceive to be two concerns raised by proponents of a Data Append restriction.  But, I am curious to know if you have additional concerns or comments.
>>>  
>>> 1)      Concern:  In the process of a 1st party acquiring data, the 1st party may inadvertently share data with a third party (namely that a DNT:1 user visited the 1st party’s site).
>>>  
>>> I believe the standard already addresses this concern as 1st parties are prohibited from sharing data with a 3rd party that it could not otherwise collect for its independent use.  Indeed, many “data appends” are conducted today using a double blind approach so that the 3rd party never sees the 1st party data.  In some cases, the 3rd party may see the data, but it would be contractually prohibited from using the data for its own use.  Thus, it could qualify under the service provider provision (contract + no independent right to use data).  Regardless of today’s practices, the prohibition on 1st parties sharing data would address this concern.
>>>  
>>> 2)      Concern:  1st parties should be prohibited from building profiles about its users.
>>>  
>>> My concern with this kind of prohibition is that it would be completely inappropriate and out of scope for DNT.  In a world where 1st parties cannot share data and 3rd parties cannot collect data about DNT:1 users, there are only certain kinds of data sets that would remain available to be appended – publicly available data, data collected with consent, off-line data and pre-DNT data.  I think there is broad agreement that none of these data sets should be restricted by DNT.  Moreover, we have already largely exempted 1st parties from DNT, because consumers have different expectations with regard to 1stparties.  They have a direct relationship with the 1st party since they chose to visit the site and consumers have fundamental choices about the sites they can visit (or not visit).
>>>  
>>> Also, let’s take this one step further – what happens after a publisher has learned more about its audience?  Under the rules of DNT, it still cannot share data about DNT:1 users.  So, how would a publisher use this appended data set for its internal purposes?  There are a few ways it would be used – 1st party marketing, audience measurement and content personalization are the primary purposes.  IMO, none of these uses violate a user’s expectations. 
>>>  
>>> In summary, I think DNT is useful because it provides a clean, easy way to express a preference with regard to 3rd party data collection.  We should remain focused on providing this basic functionality.
>>>  
>>>  
>>> From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com] 
>>> Sent: Tuesday, March 19, 2013 1:05 PM
>>> To: David Singer
>>> Cc: Working Group
>>> Subject: Re: DNT:1 and "data append"
>>>  
>>> David,
>>>  
>>> John's text was explicitly proposing restrictions on first parties. ("A 1st Party MUST NOT...")
>>>  
>>> 
>>> On Mon, Mar 18, 2013 at 6:16 PM, David Singer <singer@apple.com> wrote:
>>>  
>>> On Mar 18, 2013, at 15:52 , Ian Fette (イアンフェッティ) <ifette@google.com> wrote:
>>> 
>>> 
>>> Presumably there would be some carve-outs here? E.g. if you come to my site with DNT1 and buy something with me,
>>>  
>>> then the site just became a first party (unless somehow the user can buy without knowingly interacting with the site…), and there are few rules for you...
>>>  
>>> John, can you back up a bit and remind me what the scenario is that troubles you, and then I can try to be more helpful...
>>> 
>>> 
>>> I'm going to share identifiable information with FedEx so that they can deliver your product...
>>>  
>>> 
>>> On Mon, Mar 18, 2013 at 3:44 PM, John Simpson <john@consumerwatchdog.org> wrote:
>>> Colleagues,
>>>  
>>> I wanted to propose some privacy friendly text that would cover the "data append" situation when DNT:1 is sent.  I think others are working on possible language,  but I wanted to make my proposed language available for consideration and discussion.
>>>  
>>> Normative
>>> When DNT:1 is received:
>>>  
>>> -- A 1st Party MUST NOT share share identifiable data with another party.
>>> -- A 1st Party MUST NOT combine identifiable data from another party with data it has collected while a 1st Party.
>>>  
>>>  
>>> Cheers,
>>> John
>>>  
>>> ---------
>>> John M. Simpson
>>> Privacy Project Director
>>> Consumer Watchdog
>>> 2701 Ocean Park Blvd., Suite 112
>>> Santa Monica, CA, 90405
>>> Tel: 310-392-7041
>>> Cell: 310-292-1902
>>> www.ConsumerWatchdog.org
>>> john@consumerwatchdog.org
>>>  
>>>  
>>>  
>>>  
>>>  
>>> 
>>>  
>>>  
>>>  
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>>  
>>
Received on Wednesday, 20 March 2013 18:36:48 UTC