Re: [ISSUE-206] Service Provider (and related ISSUE-219 question) from Justin Brookman on 2014-06-05 (public-tracking@w3.org from June 2014)

From: Justin Brookman <jbrookman@cdt.org>
Date: Thu, 5 Jun 2014 14:59:05 -0400
To: Roy T. Fielding <fielding@gbiv.com>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-Id: <324BD60D-0A77-41E1-BC02-6E01B1A50C04@cdt.org>

Thank you, Roy.  No one has objected to this revision the past two weeks it has been discussed on the calls.  Unless anyone objects to the public list, we'll close this issue out and adopt this definition.

One question:  If we allow first-party data to be used in other contexts (ISSUE-219), would this service provider exception allow ad intermediaries to serve retargeted ads (based on first-party client data) for a wide range of clients/publishers?  That is Ad X could collect and store data on behalf of Sites 1-300, and then serve targeted ads based on any one of those 300 silos when a user visits Sites 301?  As long as the contracts allow this and prohibit use of blended data across silos?

Just trying to understand how this would play out in practice.  I understand there are other proposals before the group that would allow for retargeting anyway.

On May 14, 2014, at 2:13 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> ISSUE-206: Service Provider name and requirements
> 
> I have amended our proposal to be more consistent with the current TPE
> and be less ambiguous about which party is contracting the service.
> 
> ....Roy
> 
> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Service_Provider#Proposal:_Service_Provider
> 
> Proposal: Service Provider
> 
> Proposal from Roy Fielding: email, amended slightly to be consistent with a proposal by Vinay Goel: email and again to reflect TPE LCWD; issue-206
> 
> New text
> 
> Access to Web resources often involves multiple parties that might process the data received in a network interaction. For example, domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers might be a party to a given network interaction because they are contracted by either the user or the  resource owner to provide the mechanisms for communication. Likewise, additional parties might be engaged after a network interaction, such as when services or contractors are used to perform specialized data analysis or records retention.
> 
> For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:
> 
> (1) processes the data on behalf of the contractee;
> 
> (2) ensures that the data is only retained, accessed, and used as directed by the contractee;
> 
> (3) has no independent right to use the data other than in a de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,
> 
> (4) has a contract in place with the contractee which is consistent with the above limitations.
> 
>

Received on Thursday, 5 June 2014 18:59:37 UTC