W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

RE: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Mon, 7 Oct 2013 22:10:02 +0000
To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E31419D5C1@GQ1-MB01-02.y.corp.yahoo.com>
The user provides consent outside of DNT UGE (out of band consent).  Now comes the tricky part of what constitutes "consent" in this case.  The core purpose of a site (David Singer has offered good examples in the past), a "clear" note in their registration process, the site TOS and PP, contextual notice and control options, more?

- Shane

-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org] 
Sent: Thursday, October 03, 2013 11:38 PM
To: public-tracking@w3.org
Subject: Re: tracking-ISSUE-219 (Context separation): 3rd parties that are 1st parties must not use data across these contexts [Compliance Current]


just to clarify. We are discussing the following case:
- User has DNT;1 turned on "always" (for this example)
- No exceptions are in place for the given party
- The party has 1st and 3rd party elements (e.g., main site and widget)

In a separate discussion, we discuss whether some privacy-preserving personalisation (e.g., language selection) shall be permitted (e.g., using a low entropy cookie).

We now discuss two cases:
(a) Whether the party can transfer information from the 1st party to a 3rd party context
(b) Whether the party can transfer information from the 3rd party to the 1st party context

The focus of this discussion was case (a): Can the party use 1st part data in the 3rd party context.

Examples I see:
- Personalisation of widget "Hi Joe!"
- Tailoring of offers by the widget
- Reading lists and other functionalities

I would expect these user experiences if I have given the party a web-wide exception.

Personally, I would deem these user experiences disturbing if I told everyone that I do not want to be
tracked: "I told party not to track me. How did they find out that it's me visiting this other site?".
And personally speaking, I would normally expect that 3rd and 1st party contexts cannot be correlated.

However, I would be interested in counterexamples and arguments why my personal expectations are different from normal users and/or why my examples do not make sense.



On 03/10/2013 21:16, David Wainberg wrote:
> Mike,
> On 2013-10-03 7:20 AM, Mike O'Neill wrote:
>> If a user sees personalisation when they have explicitly requested 
>> not to be tracked they will assume their wishes are being ignored, 
>> and this will damage the credibility of Do Not Track.
> I disagree. I realize it will be a challenge to get right, but since 
> users will be educated about what DNT does or does not do before they 
> make the choice to turn it on, they'll understand that any post-DNT:1 
> personalization they're seeing is being done in accordance with the 
> DNT rules, and so with limited data retention. In fact, users could 
> come to understand it as a great benefit: they get the 
> personalization, but without their browsing history being accumulated 
> and retained.
> Best,
> -David

Received on Monday, 7 October 2013 22:10:56 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC