- From: Lee Tien <tien@eff.org>
- Date: Wed, 11 Jun 2014 19:50:46 -0700
- To: W3C DNT Working Group Mailing List <public-tracking@w3.org>
I don't know whether this is helpful or muddies the waters, but EFF has drafted a compliance policy to accompany our Privacy Badger software. https://raw.githubusercontent.com/EFForg/dnt-policy/master/dnt-policy-discussion-draft.txt Our policy applies by domain to domain operators hoping to avoid undue reliance on the first-third party distinction. We currently handle "contractors, affiliates or other parties," which should include "service providers," with the following language: > > > 3. OTHER DOMAINS: > > a. If this domain transfers identifiable user data about DNT Users to > contractors, affiliates or other parties, or embeds from or posts data to > other domains, we will either: > > b. ensure that the operators of those domains abide by this policy overall > by posting it at /.well-known/dnt-policy.txt via HTTPS on the domains in > question, > > OR > > ensure that the recipient's policies and practices require the recipient > to respect the policy for our DNT Users' data. > > OR > > obtain a contractual commitment from the recipient to respect this policy > for our DNT Users' data. > > NOTE: if an “Other Domain” does not receive identifiable user information > from the domain, because such information has been removed or because the > Other Domain does not log that information or for some other reason, these > requirements do not apply. Thanks, Lee On Jun 11, 2014, at 8:56 AM, Roy T. Fielding wrote: > Yep, what Vinay said. Compliance doesn't change the meaning of DNT:1. > Likewise, the service provider definition doesn't change the ability of > a first party or the set of sites that party owns -- it only allows the > service provider to act on behalf of that first party without being > considered a third party (for that data collected as a first party). > > A service provider to a third party is still going to be a third party. > > ....Roy > > On Jun 11, 2014, at 8:23 AM, Vinay Goel wrote: > >> Hi Mike, >> >> Can't a clause like that turn a service provider into a "data controller" >> by taking actions or making decisions about the data? I'd rather we not >> add clauses in to the definition of service provider that requires the >> service provider to make decisions on the use of customer's data. It also >> conflicts with "(2) ensures that the data is only retained, accessed, and >> used as directed by the contractee". >> >> Justin - in your example, are all of those sites, including News.com, all >> part of the same publisher/first-party? If not, what Roy is saying below >> is that News.com would be engaged in tracking if it collected data on >> Shoes.com to serve an interest-based ad on News.com. >> >> >> -Vinay >> >> On 6/11/14, 11:11 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Roy, >>> >>> Thinking about Justin's concern, would you accept a friendly amendment to >>> your service provider definition making it clear that data should not be >>> shared outside the context in which it occurred (i.e. our definition of >>> tracking), i.e. even if it is only acting at the behest of its >>> contractee. >>> >>> >>> (5) ensures that data about a user's activity collected in a context when >>> DNT is set will not be shared with parties in other contexts. >>> >>> >>> >>> mike >>> >>>> -----Original Message----- >>>> From: Justin Brookman [mailto:jbrookman@cdt.org] >>>> Sent: 11 June 2014 15:32 >>>> To: Roy T. Fielding >>>> Cc: W3C DNT Working Group Mailing List >>>> Subject: Re: [ISSUE-206] Service Provider (and related ISSUE-219 >>>> question) >>>> >>>> >>>> >>>> On Jun 6, 2014, at 2:42 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >>>> >>>>> On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote: >>>>> >>>>>> That is Ad X could collect and store data on behalf of Sites 1-300, >>>> and then >>>> serve targeted ads based on any one of those 300 silos when a user >>>> visits Sites >>>> 301? As long as the contracts allow this and prohibit use of blended >>>> data across >>>> silos? >>>>> >>>>> I don't understand how "serve targeted ads based on" some other site >>>> would >>>>> be allowed unless both sites are owned by the same first party. >>>>> Otherwise, that is tracking: "use of data derived from that activity >>>> outside >>>>> the context in which it occurred". Note that the definition of >>>> tracking >>>>> doesn't care whether the tracker is a service provider; it only cares >>>>> about the context in which that data was collected. >>>>> >>>>> ....Roy >>>>> >>>> >>>> It's used outside the context the data was collected, but it's not >>>> necessary cross- >>>> site tracking data if it's just held on behalf of a publisher, right? >>>> So if ADNET is a >>>> service provider to Shoes.com, Diapers.com, Hats.com, Social.com, and >>>> dozens >>>> of other publishers, it can collect target ads on News.com based on any >>>> one of >>>> those silos (say a retargeted ad for a shoe that the user looked at, or >>>> something >>>> based on the user's activity on Social.com). Assuming that we adopt >>>> your >>>> definition of service provider and resolve ISSUE-219 to allow first >>>> party data to >>>> be used in other contexts. >>>> >>>> Or am I misinterpreting the service provider language? >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.13 (MingW32) >>> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ >>> Charset: utf-8 >>> >>> iQEcBAEBAgAGBQJTmHGxAAoJEHMxUy4uXm2JFTMH/2NzXijICkyoiAvFy53TqY9s >>> 6S4sVmC3tQtyxKn4Xd7kC0rPnUW1PhNtArwMMJvADPhg+2/XlXoIAMr3JOgaN6Py >>> kDUTBOrWLbnTqaYMh48ZSH8o/N4dnoh+UK1l51ckCALnH8Q4GKeuBXIx3Rszcjm/ >>> KVjaXiJaS/o8PWqE+0SoikZxpkMPGGsVGi9VXzhcI/rKOdBJl/SrWdXQB7Dc4eif >>> rCAqWvSZuqw/QRe3obgEKG0fw88UVaqAZqcDP5wJ42GUQ4FvmH0PNB/wSYZJLA8k >>> EugPIAo4aY5HnrJAZnpKynqcWQLH/MmFVa9m38D1jvvtQqe2wnl9XEo78NEtbwo= >>> =QhkD >>> -----END PGP SIGNATURE----- >>> >>> >> > > >
Received on Thursday, 12 June 2014 02:51:20 UTC