Re: New Change Proposal: New text for First Party Compliance (Issue-170) from David Wainberg on 2013-10-01 (public-tracking@w3.org from October 2013)

From: David Wainberg <dwainberg@appnexus.com>
Date: Mon, 30 Sep 2013 21:15:34 -0400
To: John Simpson <john@consumerwatchdog.org>
CC: Vinay Goel <vigoel@adobe.com>, Rob Sherman <robsherman@fb.com>, "public-tracking@w3.org List" <public-tracking@w3.org>
Message-ID: <524A2236.5020306@appnexus.com>
Hi John,

The rationale is that parties should be able to share data with other 
parties who are able to use it. If the receiving party has an exception 
or can take advantage of permitted uses, then that party should be able 
to receive the data.

-David

On 2013-09-30 8:51 PM, John Simpson wrote:
> Hi David,
>
> Could you please explain the rational for this?
>
> Thanks,
> John
>
>
>
> On Sep 30, 2013, at 4:48 PM, David Wainberg <dwainberg@appnexus.com 
> <mailto:dwainberg@appnexus.com>> wrote:
>
>> Vinay,
>>
>> I'd offer a friendly amendment, as well. Your new text reverts from 
>> the old version that prohibits first parties from sharing with "third 
>> parties who could not collect the data themselves under this 
>> standard," but not from sharing altogether. I understand there's a 
>> concern about giving 1st parties a loophole to share data to be used 
>> in contradiction to the spec. However, I think a total prohibition 
>> goes too far. If this were to be the language for 1st party 
>> compliance, I'd propose this edit:
>>
>> "If a first party receives a DNT:1 signal, the first party MAY 
>> collect, retain, and use data in a manner consistent with any 
>> commitments the first party makes to its users. A first party MAY 
>> share data about this network interaction with its service providers 
>> and with third parties, provided that the first party MUST pass the 
>> DNT:1 signal with the data and that any third parties receiving the 
>> data must abide by any applicable requirements of this specification."
>>
>> -David
>>
>>
>>
>> On 2013-09-27 12:18 PM, Vinay Goel wrote:
>>> Hi Rob,
>>>
>>> Thanks for the thoughtful explanation and edits.  Yes, I'd accept 
>>> your suggested changes as edits to my proposed text.
>>>
>>> -Vinay
>>>
>>> From: Rob Sherman <robsherman@fb.com <mailto:robsherman@fb.com>>
>>> Date: Friday, September 27, 2013 12:12 PM
>>> To: Vinay Goel <vigoel@adobe.com <mailto:vigoel@adobe.com>>, 
>>> "public-tracking@w3.org <mailto:public-tracking@w3.org> List" 
>>> <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>> Subject: Re: New Change Proposal: New text for First Party 
>>> Compliance (Issue-170)
>>>
>>> Vinay,
>>>
>>> Would you accept a friendly amendment to your text, as follows:
>>>
>>>     "If a first party receives a DNT:1 signal, the first party MAY
>>>     collect, retain, and use data *_in a manner consistent with any
>>>     commitments the first party makes to its users _**to both
>>>     analyze usage and customize the content, services, and
>>>     advertising within the context of a first party experience*.  A
>>>     first party MAY share data about this network interaction with
>>>     its service providers, but it MAY NOT share data about this
>>>     network interaction with third parties."
>>>
>>>
>>> I am concerned about claiming to limit what a first party can do 
>>> with data collected when a user directly interacts with it, 
>>> particularly given that the specified uses here (analysis and 
>>> customization) would exclude activities that we've already agreed as 
>>> a group are permissible even in the third-party context.  For 
>>> example, this text doesn't seem to anticipate use of first-party 
>>> data for security purposes.  More generally, though, it seems 
>>> inappropriate to have a list of permitted uses for first parties, 
>>> given that first-party services are going to vary quite 
>>> substantially in how they will need to use data, depending on what 
>>> service they are providing.  My sense is that it is more prudent 
>>> here to simply say that the first party has to comply with whatever 
>>> commitments it makes and avoid circumventing DNT by passing data to 
>>> a non-service provider that couldn't collect it directly — and I 
>>> think this is consistent with the rationale you articulate below 
>>> that "the first party should be able to define/describe whatever it 
>>> follows within its Privacy Policy."
>>>
>>> (Obviously, as with the rest of the standard, all of this would be 
>>> subject to consent.  As a result, for example, if you post a status 
>>> update on Facebook and share it with your friends, the prohibition 
>>> on third-party sharing  shouldn't prohibit Facebook from sharing 
>>> that status update with third-parties who are your friends, because 
>>> we are doing this with your consent.  But I don't think this point 
>>> is controversial.)
>>>
>>> I also had some feedback on one of your other change proposals but 
>>> will raise that separately in that thread.
>>>
>>> Thanks.
>>>
>>> Rob
>>>
>>> Rob Sherman
>>> *Facebook** | **Manager, Privacy and Public Policy*
>>> 1155 F Street, NW Suite 475 | Washington, DC 20004
>>> office 202.370.5147 | mobile 202.257.3901
>>>
>>> From: Vinay Goel <vigoel@adobe.com <mailto:vigoel@adobe.com>>
>>> Date: Tuesday, September 24, 2013 10:55 AM
>>> To: "public-tracking@w3.org <mailto:public-tracking@w3.org> List" 
>>> <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>> Subject: New Change Proposal: New text for First Party Compliance 
>>> (Issue-170)
>>> Resent-From: <public-tracking@w3.org <mailto:public-tracking@w3.org>>
>>> Resent-Date: Tuesday, September 24, 2013 10:56 AM
>>>
>>> Current text: "If a first party receives a DNT:1 signal the first 
>>> party/may/engage in its normal collection and use of information. 
>>> This includes the ability to customize the content, services, and 
>>> advertising in the context of the first party experience.
>>>
>>> The first party /must not/ pass information about this network 
>>> interaction to third parties who could not collect the data 
>>> themselves under this standard. Information about the transaction 
>>> /may/ be passed on to service providers acting on behalf of the 
>>> first party
>>>
>>> First parties/may/elect to follow third party practices."
>>>
>>> Proposed new text: "If a first party receives a DNT:1 signal, the 
>>> first party MAY collect, retain, and use data to both analyze usage 
>>> and customize the content, services, and advertising within the 
>>> context of a first party experience.  A first party MAY share data 
>>> about this network interaction with its service providers, but it 
>>> MAY NOT share data about this network interaction with third parties."
>>>
>>> Rationale: First off, we use the term 'data' within the definitions 
>>> of Collect, use, share, etc. but now switch to 'information'.  We 
>>> should be consistent within the document unless there is a reason 
>>> for the switched term (though if there is a reason, its unclear). 
>>>  Second, what does 'normal collection and use' mean?  What if that 
>>> first party believes its normal use is to sell/share the information 
>>> with a data broker?  We need to set parameters on what normal 
>>> collection and use mean.  Because we need to set parameters, we 
>>> should use the defined terms collect, retain and use.  In addition, 
>>> the current text introduces the term 'pass' which is 
>>> undefined/unclear.  Instead, why not use the defined term of share? 
>>>  Last, the last sentence 'First partys MAY elect…' is completely 
>>> unnecessary.  First Parties MAY also choose to elect SOME third 
>>> party practices but not all.  Do we need to state that as well? 
>>>  Instead, the first party should be able to define/describe whatever 
>>> it follows within its Privacy Policy.
>>>
>>> Draws upon: Issue-170
>>>
>>> -Vinay
>>>
>>
>
Received on Tuesday, 1 October 2013 01:16:04 UTC