W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 3 Oct 2013 12:20:57 +0100
To: "'Walter van Holst'" <walter.van.holst@xs4all.nl>, <public-tracking@w3.org>, "Rob Sherman" <robsherman@fb.com>
Message-ID: <220f01cec02a$a28fb710$e7af2530$@baycloud.com>
Rob,

I agree with Walter.

If a user finds value in this kind of personalisation then it should be straightforward to obtain their consent. In fact it should be easier for Facebook to obtain it than others, either by recruiting publishers to ask for a site-specific UGE or getting a web-wide one on your own site. 

Using unique ids to collect a user's web activity is the essence of tracking. If a user sees personalisation when they have explicitly requested not to be tracked they will assume their wishes are being ignored, and this will damage the credibility of Do Not Track. Without an unambiguous and widely honoured DNT signal meeting widespread privacy concerns, the arms-race will continue - wasting many developers' time and damaging innovation and trust on the web.

Mike



-----Original Message-----
From: Walter van Holst [mailto:walter.van.holst@xs4all.nl] 
Sent: 03 October 2013 08:37
To: public-tracking@w3.org
Subject: Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

On 2013-10-03 05:08, Rob Sherman wrote:
> Walter,
> 
> I don't think it's correct as a per se matter that use of first party 
> data outside of the website on which it was collected runs counter to 
> consumer expectations.  In some cases, of course, that would be true 
> (if I send an email on my gmail account, I would not expect to see 
> that email on the front page of nytimes.com), but there are many 
> instances in which I do think that this use would be expected.  For 
> example, as a user of Facebook, I would find it contextually 
> appropriate Facebook to use data I provided to it as a first-party to 
> personalize my experience on other websites that have Facebook 
> plugins.  The proposal you offer below would undermine that 
> expectation and would break that functionality.  It seems most 
> reasonable to assume that users who don't want data they provide to 
> Facebook to be used on other websites can choose (1) not to give 
> Facebook the data in the first instance, (2) to turn off Facebook 
> Platform in their settings, or (3) to log out of Facebook when they 
> are done using it.
> Obviously, this is a specific example, but my point is that it's not 
> good policy to make a general assumption that it's never expected to 
> use data across multiple sites and to limit functionality on the basis 
> of that assumption.

To the contrary. This change proposal has been made with, among others, Facebook plugins in mind. Your typical Facebook user is not aware that visiting a webpage with a Facebook Like Button (one of the most prolific Facebook plugins) results in Facebook being able to record that visit, up to the point of recording the contents of that webpage and the duration of the visit.

The Facebook privacy settings are themselves a study in obfuscation which I'd rather not discuss here. Being logged on to Facebook is also typically something that the user often may not be aware of. Moreover, Facebook is perfectly positioned to acquire consent through the exceptions mechanism. Which BTW should be done on a per 1st party basis.

In short, I don't think I could disagree much more with you here. The data gathering through Facebook plugins are a typical example of what users perceive as stalking or otherwise creepy as soon as they become aware of. Which most of them aren't. Yet.

Regards,

Walter
Received on Thursday, 3 October 2013 11:21:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC