W3C home > Mailing lists > Public > public-tracking@w3.org > September 2013

Re: Party definition, was: Re: proposed short-term changes to TCS

From: David Wainberg <dwainberg@appnexus.com>
Date: Tue, 24 Sep 2013 12:34:26 -0400
Message-ID: <5241BF12.3030106@appnexus.com>
To: Walter van Holst <walter.van.holst@xs4all.nl>
CC: <public-tracking@w3.org>
Common ownership or control is the wrong requirement. It's not a useful 
factor evaluating privacy. We should replace it with common data 
governance regime. On one hand, you could have a network of commonly 
owned sites but without common branding, and with wildly disparate 
privacy policies. On the other hand, you could have a network of 
websites that are affiliated by contract but have mutually and publicly 
agreed to a strict set of privacy controls. There is no distinction from 
the user's perspective. Comparing these two, why is ownership on its own 
better for privacy and better for users? And why would we favor the 
first model over the second?

Let's say a company owns a network of 100,000 typosquatting and SEO spam 
domains where you drop cookies and collect referrer URLS, including 
search keywords. Among them, just as a result of history and neglect, 
there are about 40 different privacy policies. Then, that same company 
also owns a large network of seemingly unrelated niche blogs where it 
serves ads. Same situation there with the privacy policies. Under the 
common ownership approach, as long as every one of those pages has a 
link to a page where users can discover the common owner, they can 
collect and use data as you wish across all of those domains.

Compare that to 1000 high quality, independently owned niche blogs. They 
form an affiliate network via contract with a 3rd party network to 
collect data and serve ads across the network. They each agree in their 
contract to a common, strict set of privacy controls, and they post 
notice of these controls prominently on their sites. Under the current 
common ownership model, sharing and using data across this network would 
be prohibited under DNT. Why? It's a much better privacy scenario than 
the previous example.

Comparing these two scenarios, does the outcome make any sense? The 
common ownership and control approach puts an emphasis on acquisition 
and ownership rather than actual practices. This allows companies to do 
by acquisition what cannot be done by partnership, and so favors big 
companies over small for no sensible policy reason. Contracts, on the 
other hand, represent clear, legally binding rules, imply a level of 
diligence, and can unify privacy practices across many sites and 
entities. Contracts can provide stricter, more consistent, more 
predictable privacy controls than ownership.

On 2013-09-23 6:46 PM, Walter van Holst wrote:
> On 23/09/2013 04:40, Roy T. Fielding wrote:
>> The following is also fine with me:
>>    A party is a natural person, a legal entity, or a set of legal
>>    entities that share common owner(s), common controller(s), and
>>    a group identity that is easily discoverable by a user.
> Let's go fot that then and take care of the objective
> transparency/discoverability criteria in the first and third party
> definitions.
> Regards,
>   Walter
Received on Tuesday, 24 September 2013 16:34:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:56 UTC