Re: [ISSUE-206] Service Provider (and related ISSUE-219 question)

Yep, what Vinay said.  Compliance doesn't change the meaning of DNT:1.
Likewise, the service provider definition doesn't change the ability of
a first party or the set of sites that party owns -- it only allows the
service provider to act on behalf of that first party without being
considered a third party (for that data collected as a first party).

A service provider to a third party is still going to be a third party.

....Roy

On Jun 11, 2014, at 8:23 AM, Vinay Goel wrote:

> Hi Mike,
> 
> Can't a clause like that turn a service provider into a "data controller"
> by taking actions or making decisions about the data?  I'd rather we not
> add clauses in to the definition of service provider that requires the
> service provider to make decisions on the use of customer's data.  It also
> conflicts with "(2) ensures that the data is only retained, accessed, and
> used as directed by the contractee".
> 
> Justin - in your example, are all of those sites, including News.com, all
> part of the same publisher/first-party?  If not, what Roy is saying below
> is that News.com would be engaged in tracking if it collected data on
> Shoes.com to serve an interest-based ad on News.com.
> 
> 
> -Vinay
> 
> On 6/11/14, 11:11 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Roy,
>> 
>> Thinking about Justin's concern, would you accept a friendly amendment to
>> your service provider definition making it clear that data should not be
>> shared outside the context in which it occurred (i.e. our definition of
>> tracking), i.e. even if it is only acting at the behest of its
>> contractee. 
>> 
>> 
>> (5) ensures that data about a user's activity collected in a context when
>> DNT is set will not be shared with parties in other contexts.
>> 
>> 
>> 
>> mike
>> 
>>> -----Original Message-----
>>> From: Justin Brookman [mailto:jbrookman@cdt.org]
>>> Sent: 11 June 2014 15:32
>>> To: Roy T. Fielding
>>> Cc: W3C DNT Working Group Mailing List
>>> Subject: Re: [ISSUE-206] Service Provider (and related ISSUE-219
>>> question)
>>> 
>>> 
>>> 
>>> On Jun 6, 2014, at 2:42 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>> 
>>>> On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote:
>>>> 
>>>>> That is Ad X could collect and store data on behalf of Sites 1-300,
>>> and then
>>> serve targeted ads based on any one of those 300 silos when a user
>>> visits Sites
>>> 301?  As long as the contracts allow this and prohibit use of blended
>>> data across
>>> silos?
>>>> 
>>>> I don't understand how "serve targeted ads based on" some other site
>>> would
>>>> be allowed unless both sites are owned by the same first party.
>>>> Otherwise, that is tracking: "use of data derived from that activity
>>> outside
>>>> the context in which it occurred".  Note that the definition of
>>> tracking
>>>> doesn't care whether the tracker is a service provider; it only cares
>>>> about the context in which that data was collected.
>>>> 
>>>> ....Roy
>>>> 
>>> 
>>> It's used outside the context the data was collected, but it's not
>>> necessary cross-
>>> site tracking data if it's just held on behalf of a publisher, right?
>>> So if ADNET is a
>>> service provider to Shoes.com, Diapers.com, Hats.com, Social.com, and
>>> dozens
>>> of other publishers, it can collect target ads on News.com based on any
>>> one of
>>> those silos (say a retargeted ad for a shoe that the user looked at, or
>>> something
>>> based on the user's activity on Social.com).  Assuming that we adopt
>>> your
>>> definition of service provider and resolve ISSUE-219 to allow first
>>> party data to
>>> be used in other contexts.
>>> 
>>> Or am I misinterpreting the service provider language?
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.13 (MingW32)
>> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/
>> Charset: utf-8
>> 
>> iQEcBAEBAgAGBQJTmHGxAAoJEHMxUy4uXm2JFTMH/2NzXijICkyoiAvFy53TqY9s
>> 6S4sVmC3tQtyxKn4Xd7kC0rPnUW1PhNtArwMMJvADPhg+2/XlXoIAMr3JOgaN6Py
>> kDUTBOrWLbnTqaYMh48ZSH8o/N4dnoh+UK1l51ckCALnH8Q4GKeuBXIx3Rszcjm/
>> KVjaXiJaS/o8PWqE+0SoikZxpkMPGGsVGi9VXzhcI/rKOdBJl/SrWdXQB7Dc4eif
>> rCAqWvSZuqw/QRe3obgEKG0fw88UVaqAZqcDP5wJ42GUQ4FvmH0PNB/wSYZJLA8k
>> EugPIAo4aY5HnrJAZnpKynqcWQLH/MmFVa9m38D1jvvtQqe2wnl9XEo78NEtbwo=
>> =QhkD
>> -----END PGP SIGNATURE-----
>> 
>> 
> 

Received on Wednesday, 11 June 2014 15:56:51 UTC