- From: David Wainberg <dwainberg@appnexus.com>
- Date: Tue, 24 Sep 2013 12:34:26 -0400
- To: Walter van Holst <walter.van.holst@xs4all.nl>
- CC: <public-tracking@w3.org>
Common ownership or control is the wrong requirement. It's not a useful factor evaluating privacy. We should replace it with common data governance regime. On one hand, you could have a network of commonly owned sites but without common branding, and with wildly disparate privacy policies. On the other hand, you could have a network of websites that are affiliated by contract but have mutually and publicly agreed to a strict set of privacy controls. There is no distinction from the user's perspective. Comparing these two, why is ownership on its own better for privacy and better for users? And why would we favor the first model over the second? Let's say a company owns a network of 100,000 typosquatting and SEO spam domains where you drop cookies and collect referrer URLS, including search keywords. Among them, just as a result of history and neglect, there are about 40 different privacy policies. Then, that same company also owns a large network of seemingly unrelated niche blogs where it serves ads. Same situation there with the privacy policies. Under the common ownership approach, as long as every one of those pages has a link to a page where users can discover the common owner, they can collect and use data as you wish across all of those domains. Compare that to 1000 high quality, independently owned niche blogs. They form an affiliate network via contract with a 3rd party network to collect data and serve ads across the network. They each agree in their contract to a common, strict set of privacy controls, and they post notice of these controls prominently on their sites. Under the current common ownership model, sharing and using data across this network would be prohibited under DNT. Why? It's a much better privacy scenario than the previous example. Comparing these two scenarios, does the outcome make any sense? The common ownership and control approach puts an emphasis on acquisition and ownership rather than actual practices. This allows companies to do by acquisition what cannot be done by partnership, and so favors big companies over small for no sensible policy reason. Contracts, on the other hand, represent clear, legally binding rules, imply a level of diligence, and can unify privacy practices across many sites and entities. Contracts can provide stricter, more consistent, more predictable privacy controls than ownership. On 2013-09-23 6:46 PM, Walter van Holst wrote: > On 23/09/2013 04:40, Roy T. Fielding wrote: > >> The following is also fine with me: >> >> A party is a natural person, a legal entity, or a set of legal >> entities that share common owner(s), common controller(s), and >> a group identity that is easily discoverable by a user. > Let's go fot that then and take care of the objective > transparency/discoverability criteria in the first and third party > definitions. > > Regards, > > Walter > >
Received on Tuesday, 24 September 2013 16:34:56 UTC