W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 3 Oct 2013 16:11:06 +0100
To: "'Rob Sherman'" <robsherman@fb.com>, "'Walter van Holst'" <walter.van.holst@xs4all.nl>, <public-tracking@w3.org>
Message-ID: <22cc01cec04a$c92fa9a0$5b8efce0$@baycloud.com>

The problem is not customisation per se but relying on the use of persistent
unique ids to do it. If you do not track you do not need unique ids - you
can still customise with low entropy cookies i.e. ("I prefer green like
buttons", "My preferred language is German"). Using unique ids also lets you
collect web activity. If someone has DNT set and you do not have a permitted
use you do not need to store or use (or derive) unique ids.

If you log out of your facebook account there are still persistent (2 yr)
unique id cookies retained. If you go to a facebook page you are presented
with your name/email ready for you to log in,  showing you that facebook's
servers knows who you are. If someone sets Do Not Track I think they would
expect that not to occur.


-----Original Message-----
From: Rob Sherman [mailto:robsherman@fb.com] 
Sent: 03 October 2013 14:43
To: Mike O'Neill; 'Walter van Holst'; public-tracking@w3.org
Subject: Re: tracking-ISSUE-219 (Context separation): 3rd parties that are
1st parties must not use data across these contexts [Compliance Current]

I think we may be talking past each other.  What I'm trying to do is
distinguish between the use of previously collected data for customization,
on the one hand, from the collection of browsing behavioral data, on the
other hand.  What I'm suggesting is that it is possible for a party to
customize without collecting future behavioral data for non-permitted uses
and that we should recognize that distinction in the spec -- and I think in
large part you're both talking about the data collection, not the use for

Mike raises a separate point, which is that using first-party data for
customization (again, in the absence of data collection for non-permitted
uses) could cause people to "assume their wishes are being ignored," which
of course would not be the case for a company honoring the standard.  This
seems like more of a business issue than a technical or policy one.  If we
are concerned about collecting behavioral data, then companies who purport
to comply with the standard should not collect that data in ways that are
not permitted.  It certainly may be a good practice for companies to go
further and do other things to signal their compliance -- such as providing
a visible "DNT is on" indicator, etc. -- but these are things that companies
should be free to do or not do to promote positive relationships with their
users, not by a mandate in a specification.

I agree that Facebook, as a specific example, may be in a good position to
get consent from users -- but of course we can't write a standard for one
company specifically.  As a general matter, if we're concerned about data
collection on a per-network interaction basis, it seems excessive to write a
standard that retroactively restricts other data that was collected directly
from a user when DNT restrictions were not in place.

Also, Walter's note seems to imply that Facebook is building behavioral
advertising profiles using impression data from the Like button and that
this is happening without people's knowledge today.  I'm not sure what the
basis for this is, since our practice is to deidentify/delete plugin
impression data on a regular basis, whether or not DNT is enabled.

Rob Sherman
Facebook | Manager, Privacy and Public Policy
1299 Pennsylvania Avenue, NW | Suite 800 | Washington, DC 20004 office
202.370.5147 | mobile 202.257.3901

On 10/3/13 7:20 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:

>I agree with Walter.
>If a user finds value in this kind of personalisation then it should be 
>straightforward to obtain their consent. In fact it should be easier 
>for Facebook to obtain it than others, either by recruiting publishers 
>to ask for a site-specific UGE or getting a web-wide one on your own site.
>Using unique ids to collect a user's web activity is the essence of 
>tracking. If a user sees personalisation when they have explicitly 
>requested not to be tracked they will assume their wishes are being 
>ignored, and this will damage the credibility of Do Not Track. Without 
>an unambiguous and widely honoured DNT signal meeting widespread 
>privacy concerns, the arms-race will continue - wasting many 
>developers' time and damaging innovation and trust on the web.
>-----Original Message-----
>From: Walter van Holst [mailto:walter.van.holst@xs4all.nl]
>Sent: 03 October 2013 08:37
>To: public-tracking@w3.org
>Subject: Re: tracking-ISSUE-219 (Context separation): 3rd parties that 
>are 1st parties must not use data across these contexts [Compliance 
>On 2013-10-03 05:08, Rob Sherman wrote:
>> Walter,
>> I don't think it's correct as a per se matter that use of first party 
>> data outside of the website on which it was collected runs counter to 
>> consumer expectations.  In some cases, of course, that would be true 
>> (if I send an email on my gmail account, I would not expect to see 
>> that email on the front page of nytimes.com), but there are many 
>> instances in which I do think that this use would be expected.  For 
>> example, as a user of Facebook, I would find it contextually 
>> appropriate Facebook to use data I provided to it as a first-party to 
>> personalize my experience on other websites that have Facebook 
>> plugins.  The proposal you offer below would undermine that 
>> expectation and would break that functionality.  It seems most 
>> reasonable to assume that users who don't want data they provide to 
>> Facebook to be used on other websites can choose (1) not to give 
>> Facebook the data in the first instance, (2) to turn off Facebook 
>> Platform in their settings, or (3) to log out of Facebook when they 
>> are done using it.
>> Obviously, this is a specific example, but my point is that it's not 
>> good policy to make a general assumption that it's never expected to 
>> use data across multiple sites and to limit functionality on the 
>> basis of that assumption.
>To the contrary. This change proposal has been made with, among others, 
>Facebook plugins in mind. Your typical Facebook user is not aware that 
>visiting a webpage with a Facebook Like Button (one of the most 
>prolific Facebook plugins) results in Facebook being able to record 
>that visit, up to the point of recording the contents of that webpage 
>and the duration of the visit.
>The Facebook privacy settings are themselves a study in obfuscation 
>which I'd rather not discuss here. Being logged on to Facebook is also 
>typically something that the user often may not be aware of. Moreover, 
>Facebook is perfectly positioned to acquire consent through the 
>exceptions mechanism. Which BTW should be done on a per 1st party basis.
>In short, I don't think I could disagree much more with you here. The 
>data gathering through Facebook plugins are a typical example of what 
>users perceive as stalking or otherwise creepy as soon as they become 
>aware of. Which most of them aren't. Yet.
Received on Thursday, 3 October 2013 15:11:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC