Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current] from Rob Sherman on 2013-10-03 (public-tracking@w3.org from October 2013)

From: Rob Sherman <robsherman@fb.com>
Date: Thu, 3 Oct 2013 03:08:23 +0000
To: Tracking Protection Working Group <public-tracking@w3.org>
Message-ID: <CE71FEED.7B12B%robsherman@fb.com>
Walter,

I don't think it's correct as a per se matter that use of first party data
outside of the website on which it was collected runs counter to consumer
expectations.  In some cases, of course, that would be true (if I send an
email on my gmail account, I would not expect to see that email on the
front page of nytimes.com), but there are many instances in which I do
think that this use would be expected.  For example, as a user of
Facebook, I would find it contextually appropriate Facebook to use data I
provided to it as a first-party to personalize my experience on other
websites that have Facebook plugins.  The proposal you offer below would
undermine that expectation and would break that functionality.  It seems
most reasonable to assume that users who don't want data they provide to
Facebook to be used on other websites can choose (1) not to give Facebook
the data in the first instance, (2) to turn off Facebook Platform in their
settings, or (3) to log out of Facebook when they are done using it.
Obviously, this is a specific example, but my point is that it's not good
policy to make a general assumption that it's never expected to use data
across multiple sites and to limit functionality on the basis of that
assumption.

More broadly, this proposal is at odds with one of the basic goals that
I've heard articulated by many in this group:  that DNT should, subject to
permitted uses, consent, legal compliance, etc., operate to prevent
retention of identifiable browsing history across websites by third
parties.  I've heard many people argue that DNT shouldn't be synonymous
with an OBA opt-out -- it tells users not to track (that is, collect) new
information but doesn't have retroactive effect on data collected outside
of that network interaction.

If I am understanding it correctly, though, your proposal essentially says
that previously collected data -- which may have been subject to a DNT:0
when it was collected -- may nonetheless be subject to a retroactive usage
restriction, which seems inconsistent with this general approach.

The cleanest solution seems to be that we would leave the text as-is in
the June draft (restricting use of third-party data but not limiting use
of first party data).  We can then require first parties to comply with
commitments they have made to their users (see discussion around Vinay's
ISSUE-170 text proposal) under First Party Compliance in order to address
your concern about situations in which a user wouldn't expect first party
data to be used in another context.

If you have concerns about this approach, feel free to give me a shout
off-list and we can find some time to talk through whether there's an
approach that would work for both of us here.  But I do think we can solve
the concern about context without a drastic shift like the one you're
proposing here.

[Nick -- for clarity, my proposal on new ISSUE-219 is "no change."]

Rob


Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901





On 10/2/13 6:59 AM, "Tracking Protection Working Group Issue Tracker"
<sysbot+tracker@w3.org> wrote:

>tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties
>must not use data across these contexts [Compliance Current]
>
>http://www.w3.org/2011/tracking-protection/track/issues/219
>
>Raised by: Walter van Holst
>On product: Compliance Current
>
>The current standard allows for a) 1st parties that sometimes also are
>3rd parties to b) use data gathered in that 1st party quality when in a
>3rd party quality. This runs counter to reasonable user expectations and
>against the very core issue: the tracking across different contexts.
>Therefore:
>
>"the third party MUST NOT use data about previous network interactions in
>which it was a third party, outside of the permitted uses as defined
>within this recommendation and any explicitly-granted exceptions,
>provided in accordance with the requirements of this recommendation."
>
>Should replaced with:
>
>"the third party MUST NOT use data bout previous network interactions in
>which it was a party, outside of the meritted uses as defined within this
>recommendation and any explicitly-granted exceptions, provided in
>accordance with the requirements of this recommendation."
>
>
>
Received on Thursday, 3 October 2013 03:08:48 UTC