RE: [ISSUE-206] Service Provider (and related ISSUE-219 question)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roy,

Thinking about Justin's concern, would you accept a friendly amendment to your service provider definition making it clear that data should not be shared outside the context in which it occurred (i.e. our definition of tracking), i.e. even if it is only acting at the behest of its contractee. 


(5) ensures that data about a user's activity collected in a context when DNT is set will not be shared with parties in other contexts.



mike

> -----Original Message-----
> From: Justin Brookman [mailto:jbrookman@cdt.org]
> Sent: 11 June 2014 15:32
> To: Roy T. Fielding
> Cc: W3C DNT Working Group Mailing List
> Subject: Re: [ISSUE-206] Service Provider (and related ISSUE-219 question)
> 
> 
> 
> On Jun 6, 2014, at 2:42 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> 
> > On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote:
> >
> >> That is Ad X could collect and store data on behalf of Sites 1-300, and then
> serve targeted ads based on any one of those 300 silos when a user visits Sites
> 301?  As long as the contracts allow this and prohibit use of blended data across
> silos?
> >
> > I don't understand how "serve targeted ads based on" some other site would
> > be allowed unless both sites are owned by the same first party.
> > Otherwise, that is tracking: "use of data derived from that activity outside
> > the context in which it occurred".  Note that the definition of tracking
> > doesn't care whether the tracker is a service provider; it only cares
> > about the context in which that data was collected.
> >
> > ....Roy
> >
> 
> It's used outside the context the data was collected, but it's not necessary cross-
> site tracking data if it's just held on behalf of a publisher, right?  So if ADNET is a
> service provider to Shoes.com, Diapers.com, Hats.com, Social.com, and dozens
> of other publishers, it can collect target ads on News.com based on any one of
> those silos (say a retargeted ad for a shoe that the user looked at, or something
> based on the user's activity on Social.com).  Assuming that we adopt your
> definition of service provider and resolve ISSUE-219 to allow first party data to
> be used in other contexts.
> 
> Or am I misinterpreting the service provider language?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJTmHGxAAoJEHMxUy4uXm2JFTMH/2NzXijICkyoiAvFy53TqY9s
6S4sVmC3tQtyxKn4Xd7kC0rPnUW1PhNtArwMMJvADPhg+2/XlXoIAMr3JOgaN6Py
kDUTBOrWLbnTqaYMh48ZSH8o/N4dnoh+UK1l51ckCALnH8Q4GKeuBXIx3Rszcjm/
KVjaXiJaS/o8PWqE+0SoikZxpkMPGGsVGi9VXzhcI/rKOdBJl/SrWdXQB7Dc4eif
rCAqWvSZuqw/QRe3obgEKG0fw88UVaqAZqcDP5wJ42GUQ4FvmH0PNB/wSYZJLA8k
EugPIAo4aY5HnrJAZnpKynqcWQLH/MmFVa9m38D1jvvtQqe2wnl9XEo78NEtbwo=
=QhkD
-----END PGP SIGNATURE-----

Received on Wednesday, 11 June 2014 15:12:31 UTC