ISSUE-240 - Re: Usecases / questions / benchmarks to "validate" the same context definitions

Thanks Matthias,

We talked about this last week and this week Mike and I continued our 
thoughts along the line of the definition proposed by Roy.

As a result of running the test cases we propose an alternative 
defintion of context on the wiki, such that it is open for discussion.

:''A context is a set of resources that MUST share the same data 
controller, and MUST have the same privacy policy, and MUST share a 
common branding, and MUST be declared in the same-party field of the 
Tracking Resource (Well Known Location).''

:''Non-normative Note:''
:''In case the same-party field is empty, then only the given site is 
considered to be the same context.''
:''In order for a definition of context to be granular enough to 
distinguish one context from another, a set of cumulative criteria is 
proposed. The purpose of this definition is to reflect the user 
expectations that data collected for a specified purpose by one of those 
resources is available to all other resources within the same context. 
Data must not be shared between different contexts. Respect for context 
and purpose limitation within a context are important core principles 
for any use of (personal) data within that context. Within any 
particular network interaction within a context, a user can expect that 
session states and other data (strictly) necessary to support the 
activity will be retained or shared.''
:''Given the outcome of the Call for Objections, the full combined 
tracking-context definition reads as: Tracking is the collection of data 
regarding a particular user's activity across multiple distinct contexts 
and the retention, use, or sharing of data derived from that activity 
outside the context in which it occurred. A context is limited to the 
set of resources that share the same data controller, and the same 
privacy policy, and a common branding, and has been declared in the 
same-party field of the Tracking Resource (Well Known Location). In case 
the same-party field is empty, then only the given site is considered to 
be the same context.''


Matthias Schunter (Intel Corporation) schreef op 2014-01-10 12:02:
> Hi Team and dear proposers of definitions for "same context"...
> While contributing to the evaluation of the CfO on "network
> interaction", I realised that it helps to agree on use and test cases
> for the definitions and to understand how these cases are resolved in
> different ways by the different definitions.
> Our goal for the "same context" definition should be to build a
> definition of "tracking" that reflects user expectation. In order to
> reach this goal, I would like to gather "tests" and understand how
> each of the author would address these scenarios/benchmarks/test cases
> assuming that DNT;1 has been received.
> Below, I would like to kick off this discussion by three initial test
> cases /scenarios. I would be interested in how the three definitions
> would currently resolve these tests...
> Regards,
> matthias
> PS: Note that the 3 tests I propose are just a proposal and starting
> point. Feel free to add your own use cases to further flesh out the
> differences between the definitions.
> ==================================================================================================
> ---------- Initial list of test scenarios to differentiate the
> behavior of proposed"same context" definitions under DNT;1 ---
> ==================================================================================================
> Scenario 1: Cross-site collection
> A site has a main sites and many widgets on other sites. It has set a
> cookie and can observe a user visiting the main site and/or any of the
> widgets placed on other sites.
> Site and other sites with widgets do not share branding/privacy 
> polic/...
> Questions to discuss:
> - Is the main site and the widget "same context" or not in a scenario
> where no info is recorded where the widget has been placed (i.e., the
> site records that 8723872377382 has hit the main site XX times and the
> widgets YY times)
> - Is the main site and the widget "same context" or not in a scenario
> where the site records the placement of the widget (e.g., user
> 928398239 has visited main site XX times, the widget on site ZZ has
> been visited WW times, ...)
> Scenario 2: Cross-time collection
> - A user 823892393 (some random ID) is visiting the same site 
> regularily.
> - The site collects a search history attached to this ID
> Question:
> - Are the different visits considered same tracking or not
> Scenario 3: Discovery of the boundary of a context
> - A user browses a site
> Question:
> - Is there a way that the user can find out the boundary of the "same
> context" that is spanned by your definition
> Scenario 4: Service providers
> - A user browses a site that contains service providers that DO NOT
> re-use the data elsewhere
> - The service provider adheres to the same privacy policy and does not
> have its own branding
> Question:
> - Is the site and the service provider servicing the same site "same 
> context"?

Received on Tuesday, 14 January 2014 22:09:29 UTC