W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: New Change Proposal: New text for First Party Compliance (Issue-170)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 1 Oct 2013 20:52:10 +0100
To: "'David Wainberg'" <dwainberg@appnexus.com>, "'Justin Brookman'" <jbrookman@cdt.org>
Cc: "'Lee Tien'" <tien@eff.org>, <public-tracking@w3.org>
Message-ID: <1e3e01cebedf$b8404fd0$28c0ef70$@baycloud.com>

This is only relevant for a server-server call. In a client-side interaction
the UGE API can let the first-party script know what DNT setting the
third-party will get, and it (the first-party script) can stop/allow unique
id sharing appropriately.

In a server-server situation there would be no way for the first-party to
know what the correct DNT signal would be for that third-party, or the
third-party to determine it for itself, so sharing cannot be allowed (if the
first-party gets DNT:1)


-----Original Message-----
From: David Wainberg [mailto:dwainberg@appnexus.com] 
Sent: 01 October 2013 20:40
To: Justin Brookman
Cc: Lee Tien; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: New Change Proposal: New text for First Party Compliance


That's a great explanation. There are other scenarios, too. I think a
server-to-server call from the publisher's ad server is one example.


On 2013-10-01 2:45 PM, Justin Brookman wrote:
> This may be (?) the scenario that David is getting to:
> The way that I've envisioned this working is that first-party publishers
(unless they want to get an exception for their partners) are just going to
pass on an ad request + the DNT:1 signal to an ad network* and expect the ad
network to come back with a compliant ad.  The ad network will get the
request and then determine whether it has a permitted use or a
previously-granted exception and reply accordingly.  But it won't be up to
the first-party publisher to pre-vet whether and how its partners can use
the data.
> Technically the first party is responsible for the decision to send the
data on to the third party without knowing how the third party can/will use
the data, and I think David is just trying to ensure that it's the third
parties who have the obligation to comply.  Under the Vinay/Rob language, a
first party couldn't even send a web request on to ANY third party, even if
they knew that the third party was totally going to comply with DNT.
> That could probably be clearer.  I'm going for coffee.
> (I know that the ecosystem is more sophisticated than "ad networks" 
> but I'm using ad networks as a proxy for all the players in the 
> ecosystem.)
> On Oct 1, 2013, at 11:29 AM, Lee Tien <tien@eff.org> wrote:
>> Hi David,
>> This is how I think advocates see it -- feel free to correct me if I've
misunderstood or erred.
>> Assumption:  If a third party could practically or feasibly collect such
data itself from the user under a permitted use, then it would (and doesn't
need this new text).
>> Inference:  It seems (here is where my logic may be faulty) that this
change only matters when the third party can't practically or feasibly
collect the data itself, but the first party can.
>> Conclusion:  First parties could send data to third parties that the
third parties otherwise wouldn't have, whether for technical or economic
>> That's not good from a privacy advocate's perspective, because we want to
minimize unconsented data flow, period.  Even if we "agree" to a permitted
use (which may be a matter of politics and not what we view as good policy),
we may still think of it as a loophole because it departs from what we view
as the correct DNT norm (don't collect without consent).
>> Put another way, the fact that third parties would still be bound by
rules is secondary to the primary point:  they'd have the data.
>> Lee
>> On Oct 1, 2013, at 6:14 AM, David Wainberg wrote:
>>> On 2013-10-01 9:07 AM, Walter van Holst wrote:
>>>> On 2013-10-01 15:00, David Wainberg wrote:
>>>>> Mike,
>>>>> As the draft spec stands today, under DNT:1 third parties can 
>>>>> collect and use data with an exception or under the permitted 
>>>>> uses. I don't see the loophole. These exceptions are already agreed
>>>> You are assuming that exceptions will always be granted. I rather doubt
that. As far as the permitted uses are concerned, I do not read them as
permitting to share DNT:1 data with third parties.
>>> I'm not assuming that exceptions will always be granted. What does that
have to do with it? And permitted uses will always be allowed.
>>>> So Mike is right, this would create a glaring loophole, which would be
a no-no to me.
>>> I still don't understand what the loophole is. Can you explain further?
>>> -David
Received on Tuesday, 1 October 2013 19:52:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC