Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current] from David Wainberg on 2013-10-04 (public-tracking@w3.org from October 2013)

From: David Wainberg <dwainberg@appnexus.com>
Date: Fri, 4 Oct 2013 09:50:29 -0400
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
CC: <public-tracking@w3.org>
Message-ID: <524EC7A5.9000503@appnexus.com>

Hi Matthias,

On 2013-10-04 2:37 AM, Matthias Schunter (Intel Corporation) wrote:
> Hi!
>
> just to clarify. We are discussing the following case:
> - User has DNT;1 turned on "always" (for this example)
> - No exceptions are in place for the given party
> - The party has 1st and 3rd party elements (e.g., main site and widget)
>
> In a separate discussion, we discuss whether some privacy-preserving 
> personalisation (e.g., language selection) shall be permitted (e.g., 
> using a low entropy cookie).
>
> We now discuss two cases:
> (a) Whether the party can transfer information from the 1st party to a 
> 3rd party context
> (b) Whether the party can transfer information from the 3rd party to 
> the 1st party context
I think transfer is the wrong word, as it implies changing possession 
from one party to another. I think what you mean is use between contexts.
>
> The focus of this discussion was case (a): Can the party use 1st part 
> data in the 3rd party context.
>
> Examples I see:
> - Personalisation of widget "Hi Joe!"
> - Tailoring of offers by the widget
> - Reading lists and other functionalities
As someone else pointed out (was it Rob?), it's good  to distinguish 
personalization from customization or tailoring. "Hi Joe!" suggests you 
have personally identifiable information associated. You can tailor 
content without PII.
>
> I would expect these user experiences if I have given the party a 
> web-wide exception.
>
> Personally, I would deem these user experiences disturbing if I told 
> everyone that I do not want to be
> tracked: "I told party not to track me. How did they find out that 
> it's me visiting this other site?".
> And personally speaking, I would normally expect that 3rd and 1st 
> party contexts cannot be correlated.
>
> However, I would be interested in counterexamples and arguments why my 
> personal expectations are different from normal users and/or why my 
> examples do not make sense.
Anecdotally, I find people on a spectrum. Personalization may be 
surprising to people, depending on the context. But I know that in the 
early days of Amazon, I was initially surprised to see personalized 
recommendations from Amazon in a 1st or 3rd party context. But now I'm 
quite comfortable. I find that people do seem comfortable with 
non-personal tailoring when they are comfortable with the underlying 
practices.

Other examples:
- tailoring based on a visit to a another site indicating an interest in 
sports
- tailoring based on a shopping for a product: you visit the Nike store 
you later get an ad from Nike

Best,

David

Received on Friday, 4 October 2013 13:51:05 UTC