Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current] from Matthias Schunter (Intel Corporation) on 2013-10-04 (public-tracking@w3.org from October 2013)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Fri, 04 Oct 2013 08:37:53 +0200
To: public-tracking@w3.org
Message-ID: <524E6241.5060702@schunter.org>

Hi!

just to clarify. We are discussing the following case:
- User has DNT;1 turned on "always" (for this example)
- No exceptions are in place for the given party
- The party has 1st and 3rd party elements (e.g., main site and widget)

In a separate discussion, we discuss whether some privacy-preserving 
personalisation (e.g., language selection) shall be permitted (e.g., 
using a low entropy cookie).

We now discuss two cases:
(a) Whether the party can transfer information from the 1st party to a 
3rd party context
(b) Whether the party can transfer information from the 3rd party to the 
1st party context

The focus of this discussion was case (a): Can the party use 1st part 
data in the 3rd party context.

Examples I see:
- Personalisation of widget "Hi Joe!"
- Tailoring of offers by the widget
- Reading lists and other functionalities

I would expect these user experiences if I have given the party a 
web-wide exception.

Personally, I would deem these user experiences disturbing if I told 
everyone that I do not want to be
tracked: "I told party not to track me. How did they find out that it's 
me visiting this other site?".
And personally speaking, I would normally expect that 3rd and 1st party 
contexts cannot be correlated.

However, I would be interested in counterexamples and arguments why my 
personal expectations are different from normal users and/or why my 
examples do not make sense.

Feedback?

Regards,
matthias

On 03/10/2013 21:16, David Wainberg wrote:
> Mike,
>
> On 2013-10-03 7:20 AM, Mike O'Neill wrote:
>> If a user sees personalisation when they have explicitly requested 
>> not to be tracked they will assume their wishes are being ignored, 
>> and this will damage the credibility of Do Not Track.
> I disagree. I realize it will be a challenge to get right, but since 
> users will be educated about what DNT does or does not do before they 
> make the choice to turn it on, they'll understand that any post-DNT:1 
> personalization they're seeing is being done in accordance with the 
> DNT rules, and so with limited data retention. In fact, users could 
> come to understand it as a great benefit: they get the 
> personalization, but without their browsing history being accumulated 
> and retained.
>
> Best,
>
> -David
>
>

Received on Friday, 4 October 2013 06:38:19 UTC