Re: ISSUE-219 (context separation) from Justin Brookman on 2014-06-24 (public-tracking@w3.org from June 2014)

From: Justin Brookman <jbrookman@cdt.org>
Date: Tue, 24 Jun 2014 16:04:37 -0400
To: Alan Chapell <achapell@chapellassociates.com>
Cc: public-tracking@w3.org
Message-Id: <1C40F18A-8D53-4ED3-A6E5-2647FE8ADE37@cdt.org>

I think Walter's language is trying to accomplish what you want.  When he says "the third party must not use data gathered in another context," I think "another context" logically includes all first-party when that party was previously a first party.

Would you prefer to say:

"the third party must not use data gathered in another context, including when it was a first party . . ."?  Or something like that?

You had previously proposed: "Use of this data outside the first party context is tracking and subject to third party rules for tracking, as outlined in Section 5." but I can't tell from the wiki where that sentence was supposed to go.

Since I'm fairly sure you all are trying to accomplish the same thing, I really hope we can merge these options.

On Jun 24, 2014, at 3:52 PM, Alan Chapell <achapell@chapellassociates.com> wrote:

> Hi Walter -
> 
> This language doesn't seem to address a first party acting in a third
> party context. Was that by design?
> 
> I strongly support re-inserting the language around first parties not
> being able to use data outside the Context in which it was collected.
> 
> Alan
> 
> 
> 
> 
> 
> On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> wrote:
> 
>> On 24/06/2014 17:57, Ninja Marnau wrote:
>>> Hi John, hi Mike,
>>> 
>>> we wil probably start a Call for objections on the topic of context
>>> separation this wee. Could you take a look at Walter's proposal to see
>>> whether it does reflect your text for data append and first parties: "A
>>> Party MUST NOT use data gathered while a 1st Party when operating as a
>>> 3rd Party.²
>>> 
>>> Here is the link to Walter's text:
>>> 
>>> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_i
>>> n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_any_t
>>> ype_of_party
>>> 
>> 
>> Mike, John and I have had a fruitful discussion, which resulted in a
>> more precise wording of what I wanted to achieve and I have updated the
>> text accordingly to:
>> 
>> "... the third party MUST NOT use data gathered in another context about
>> the user, other than with their explicit consent or for permitted uses
>> as defined within this recommendation."
>> 
>> I feel this is a make-or-break issue for the compliance specification
>> which on top of the privacy issue also has competition implications. A
>> strong separation between 1st and 3rd party roles is a must for this
>> compliance specification to be credible.
>> 
>> Regards,
>> 
>> Walter
>> 
>> 
>> 
> 
> 
>

Received on Tuesday, 24 June 2014 20:05:11 UTC