W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: New Change Proposal: New text for First Party Compliance (Issue-170)

From: Justin Brookman <jbrookman@cdt.org>
Date: Tue, 1 Oct 2013 14:45:37 -0400
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <78FAB623-4113-4FC2-AC82-D3B783D6ABAD@cdt.org>
To: Lee Tien <tien@eff.org>
This may be (?) the scenario that David is getting to:

The way that I've envisioned this working is that first-party publishers (unless they want to get an exception for their partners) are just going to pass on an ad request + the DNT:1 signal to an ad network* and expect the ad network to come back with a compliant ad.  The ad network will get the request and then determine whether it has a permitted use or a previously-granted exception and reply accordingly.  But it won't be up to the first-party publisher to pre-vet whether and how its partners can use the data.

Technically the first party is responsible for the decision to send the data on to the third party without knowing how the third party can/will use the data, and I think David is just trying to ensure that it's the third parties who have the obligation to comply.  Under the Vinay/Rob language, a first party couldn't even send a web request on to ANY third party, even if they knew that the third party was totally going to comply with DNT.

That could probably be clearer.  I'm going for coffee.

(I know that the ecosystem is more sophisticated than "ad networks" but I'm using ad networks as a proxy for all the players in the ecosystem.)

On Oct 1, 2013, at 11:29 AM, Lee Tien <tien@eff.org> wrote:

> Hi David,
> 
> This is how I think advocates see it -- feel free to correct me if I've misunderstood or erred.
> 
> Assumption:  If a third party could practically or feasibly collect such data itself from the user under a permitted use, then it would (and doesn't need this new text).
> 
> Inference:  It seems (here is where my logic may be faulty) that this change only matters when the third party can't practically or feasibly collect the data itself, but the first party can.
> 
> Conclusion:  First parties could send data to third parties that the third parties otherwise wouldn't have, whether for technical or economic reasons.
> 
> That's not good from a privacy advocate's perspective, because we want to minimize unconsented data flow, period.  Even if we "agree" to a permitted use (which may be a matter of politics and not what we view as good policy), we may still think of it as a loophole because it departs from what we view as the correct DNT norm (don't collect without consent).  
> 
> Put another way, the fact that third parties would still be bound by rules is secondary to the primary point:  they'd have the data.    
> 
> Lee
> 
> 
> 
> 
> 
> 
> On Oct 1, 2013, at 6:14 AM, David Wainberg wrote:
> 
>> 
>> On 2013-10-01 9:07 AM, Walter van Holst wrote:
>>> On 2013-10-01 15:00, David Wainberg wrote:
>>>> Mike,
>>>> 
>>>> As the draft spec stands today, under DNT:1 third parties can collect
>>>> and use data with an exception or under the permitted uses. I don't
>>>> see the loophole. These exceptions are already agreed on.
>>> 
>>> You are assuming that exceptions will always be granted. I rather doubt that. As far as the permitted uses are concerned, I do not read them as permitting to share DNT:1 data with third parties.
>> I'm not assuming that exceptions will always be granted. What does that have to do with it? And permitted uses will always be allowed.
>>> 
>>> So Mike is right, this would create a glaring loophole, which would be a no-no to me.
>> I still don't understand what the loophole is. Can you explain further?
>> 
>> -David
>> 
>> 
> 
> 
Received on Tuesday, 1 October 2013 18:46:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC