W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

From: Rob Sherman <robsherman@fb.com>
Date: Thu, 3 Oct 2013 13:43:22 +0000
To: "Mike O'Neill" <michael.oneill@baycloud.com>, "'Walter van Holst'" <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CE72E8D9.7B349%robsherman@fb.com>
I think we may be talking past each other.  What I'm trying to do is
distinguish between the use of previously collected data for
customization, on the one hand, from the collection of browsing behavioral
data, on the other hand.  What I'm suggesting is that it is possible for a
party to customize without collecting future behavioral data for
non-permitted uses and that we should recognize that distinction in the
spec -- and I think in large part you're both talking about the data
collection, not the use for customization.

Mike raises a separate point, which is that using first-party data for
customization (again, in the absence of data collection for non-permitted
uses) could cause people to "assume their wishes are being ignored," which
of course would not be the case for a company honoring the standard.  This
seems like more of a business issue than a technical or policy one.  If we
are concerned about collecting behavioral data, then companies who purport
to comply with the standard should not collect that data in ways that are
not permitted.  It certainly may be a good practice for companies to go
further and do other things to signal their compliance -- such as
providing a visible "DNT is on" indicator, etc. -- but these are things
that companies should be free to do or not do to promote positive
relationships with their users, not by a mandate in a specification.

I agree that Facebook, as a specific example, may be in a good position to
get consent from users -- but of course we can't write a standard for one
company specifically.  As a general matter, if we're concerned about data
collection on a per-network interaction basis, it seems excessive to write
a standard that retroactively restricts other data that was collected
directly from a user when DNT restrictions were not in place.

Also, Walter's note seems to imply that Facebook is building behavioral
advertising profiles using impression data from the Like button and that
this is happening without people's knowledge today.  I'm not sure what the
basis for this is, since our practice is to deidentify/delete plugin
impression data on a regular basis, whether or not DNT is enabled.

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1299 Pennsylvania Avenue, NW | Suite 800 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901

On 10/3/13 7:20 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:

>I agree with Walter.
>If a user finds value in this kind of personalisation then it should be
>straightforward to obtain their consent. In fact it should be easier for
>Facebook to obtain it than others, either by recruiting publishers to ask
>for a site-specific UGE or getting a web-wide one on your own site.
>Using unique ids to collect a user's web activity is the essence of
>tracking. If a user sees personalisation when they have explicitly
>requested not to be tracked they will assume their wishes are being
>ignored, and this will damage the credibility of Do Not Track. Without an
>unambiguous and widely honoured DNT signal meeting widespread privacy
>concerns, the arms-race will continue - wasting many developers' time and
>damaging innovation and trust on the web.
>-----Original Message-----
>From: Walter van Holst [mailto:walter.van.holst@xs4all.nl]
>Sent: 03 October 2013 08:37
>To: public-tracking@w3.org
>Subject: Re: tracking-ISSUE-219 (Context separation): 3rd parties that
>are 1st parties must not use data across these contexts [Compliance
>On 2013-10-03 05:08, Rob Sherman wrote:
>> Walter,
>> I don't think it's correct as a per se matter that use of first party
>> data outside of the website on which it was collected runs counter to
>> consumer expectations.  In some cases, of course, that would be true
>> (if I send an email on my gmail account, I would not expect to see
>> that email on the front page of nytimes.com), but there are many
>> instances in which I do think that this use would be expected.  For
>> example, as a user of Facebook, I would find it contextually
>> appropriate Facebook to use data I provided to it as a first-party to
>> personalize my experience on other websites that have Facebook
>> plugins.  The proposal you offer below would undermine that
>> expectation and would break that functionality.  It seems most
>> reasonable to assume that users who don't want data they provide to
>> Facebook to be used on other websites can choose (1) not to give
>> Facebook the data in the first instance, (2) to turn off Facebook
>> Platform in their settings, or (3) to log out of Facebook when they
>> are done using it.
>> Obviously, this is a specific example, but my point is that it's not
>> good policy to make a general assumption that it's never expected to
>> use data across multiple sites and to limit functionality on the basis
>> of that assumption.
>To the contrary. This change proposal has been made with, among others,
>Facebook plugins in mind. Your typical Facebook user is not aware that
>visiting a webpage with a Facebook Like Button (one of the most prolific
>Facebook plugins) results in Facebook being able to record that visit, up
>to the point of recording the contents of that webpage and the duration
>of the visit.
>The Facebook privacy settings are themselves a study in obfuscation which
>I'd rather not discuss here. Being logged on to Facebook is also
>typically something that the user often may not be aware of. Moreover,
>Facebook is perfectly positioned to acquire consent through the
>exceptions mechanism. Which BTW should be done on a per 1st party basis.
>In short, I don't think I could disagree much more with you here. The
>data gathering through Facebook plugins are a typical example of what
>users perceive as stalking or otherwise creepy as soon as they become
>aware of. Which most of them aren't. Yet.
Received on Thursday, 3 October 2013 13:44:02 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC