W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: New Change Proposal for Issue-10: remove party definitions

From: David Wainberg <dwainberg@appnexus.com>
Date: Tue, 8 Oct 2013 18:01:42 -0400
Message-ID: <525480C6.7080509@appnexus.com>
To: Justin Brookman <jbrookman@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>

On 2013-10-08 5:57 PM, Justin Brookman wrote:
> On Oct 8, 2013, at 5:46 PM, David Wainberg <dwainberg@appnexus.com 
> <mailto:dwainberg@appnexus.com>> wrote:
>> Hi Justin,
>> First, note that I will propose contextual definitions to replace the 
>> party definitions under 221. The matrix of rules was intended to 
>> illustrate how thinking contextually greatly simplifies the 
>> expression of the rules.
>> I agree the current draft is highly context dependent. In fact, 
>> that's my point. It's all context dependent, yet it's written in 
>> terms of parties. The rules apply to context and data, not to 
>> parties, especially since parties change or data is passed between 
>> parties. By defining the rules in terms of context, we make the rules 
>> much clearer.
> Thanks, David, this is helpful.  If I understand it correctly, nearly 
> all of this is editorial then.  You would still need definitions of 
> "first party" and "third party" but they would be adjectives (to 
> describe context) instead of nouns.  That said, I don't quite take 
> what you mean by "parties change, or data is passed between parties" 
> --- presumably the underlying rules for what a party could do with 
> data don't actually change under your proposed revision.  Or are you 
> proposing to delete the word "party" too?

No, you've got it right. Adjectives not nouns. What I mean about parties 
changing or data being passed is that parties holding or using data 
could be 1st or 3rd parties at different times, but the rules tie back 
to the data.

>> And, yes, a number of editorial changes would flow from the change to 
>> make the draft consistent with the contextual rather than party 
>> approach.
>> Here's an example. The current draft says in section 5.2.2:
>> /Third parties must provide public transparency of the time periods 
>> for which data collected for permitted uses are retained. The third 
>> party may enumerate different retention periods for different 
>> permitted uses. Data must not be used for a permitted use once the 
>> data retention period for that permitted use has expired. After there 
>> are no remaining permitted uses for given data, the data must be 
>> deleted or de-identified./
>> This is a requirement that applies outside of a network interaction. 
>> Who are the Third Parties to whom this transparency requirement 
>> applies? What we really mean is that the rule applies for data 
>> collected in a 3rd party context:
>>  "/All parties must provide public transparency for the time periods 
>> for which data collected in a 3rd party context is retained for 
>> permitted uses. Parties may enumerate * * *. Data that was collected 
>> in a 3rd party context must not be used for a permitted use once the 
>> data retention period for that permitted use has expired. * * *"/
> Right, but presumably parties that never appear in a third-party 
> context would not have to make such representations. That is, 
> publishers wouldn't have to affirmatively say "We don't collect or 
> retain data in a third-party context."  Again, all this is editorial I 
> think.

Is it that the parties never appear in a 3rd party context or that they 
never have data that was collected in a 3rd party context?

>> -David
>> On 2013-10-08 5:21 PM, Justin Brookman wrote:
>>> Hi David,
>>> I'm still struggling to understand what your proposal means, or even 
>>> how it differs in principle from the current editors' draft.
>>> Under the current compliance standard, the rules for collection and 
>>> use are already *heavily dependent upon context*:  If you're a third 
>>> party, you can only collect and use data pursuant to operational 
>>> permitted uses or user-granted exception.  This remains true even 
>>> when the third party later engages with the user in a first party 
>>> context.
>>> For first parties, they can do whatever they want in the first party 
>>> context except evade the standard (details on how that works still 
>>> being worked out).  There is an open issue over what first parties 
>>> who collect data can do in a later third-party context.
>>> So the standard is already heavily context-dependent --- your matrix 
>>> is currently addressed in the standard.  I read your proposal to 
>>> just ask for the deletion of first and third party from the 
>>> compliance spec, which would remove (some of) the contextual 
>>> language from the current standard without offering replacement 
>>> text.  Simply deleting the definitions of first and third party 
>>> without more doesn't make logical sense within the current document; 
>>> you would need to change the subsequent operational language as 
>>> well.  And I'm afraid I don't understand how what you're envisioning 
>>> differs from what the document currently accomplishes.
>>> On Oct 8, 2013, at 5:02 PM, David Wainberg <dwainberg@appnexus.com 
>>> <mailto:dwainberg@appnexus.com>> wrote:
>>>> Hi All,
>>>> *Proposal*: eliminate the definitions for first and third party and 
>>>> instead define the contexts of data collection and use, per ISSUE-221.
>>>> *Rationale*: Defining contexts of collection and use, rather than 
>>>> parties, is more precise and clear, and so will avoid confusion and 
>>>> misinterpretation of the spec. Speaking in terms of context goes 
>>>> right to the point. Parties are not inherently one or the other. 
>>>> Company X is a party. Is it a first party or a third party? We 
>>>> don't know until we see the context in which it is collecting or 
>>>> using data at any given moment. So let's just talk about the 
>>>> context, then.
>>>> Or, to put it slightly differently, parties can morph between 1st 
>>>> and 3rd. They can hold data that was collected in either context 
>>>> and they can use data in either context. But what matters is that 
>>>> context in which the data is collected or used. And the DNT signal 
>>>> carries over with the data, even as the party switches contexts. 
>>>> Therefore 1st or 3rd-ness is really a property of the data, not of 
>>>> the party. And, it follows that it's clearer to talk about applying 
>>>> rules to the data rather than to parties.
>>>> Thanks for considering this change.
>>>> -David
Received on Tuesday, 8 October 2013 22:02:12 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC