RE: ISSUE-219 (context separation) from Shane M Wiley on 2014-06-24 (public-tracking@w3.org from June 2014)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Tue, 24 Jun 2014 20:10:26 +0000
To: Justin Brookman <jbrookman@cdt.org>, Alan Chapell <achapell@chapellassociates.com>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E3146FF790@GQ1-MB01-02.y.corp.yahoo.com>

Wouldn't many first parties be able to argue they have user consent (implied or explicit) to do this thus trumping this provision?  If yes, then perhaps this isn't an issue as 1st parties will still be able to use data collected in the 1st party context in a 3rd party context (use only; all collection is still covered by DNT).

- Shane

From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: Tuesday, June 24, 2014 1:05 PM
To: Alan Chapell
Cc: public-tracking@w3.org
Subject: Re: ISSUE-219 (context separation)

I think Walter's language is trying to accomplish what you want.  When he says "the third party must not use data gathered in another context," I think "another context" logically includes all first-party when that party was previously a first party.

Would you prefer to say:

"the third party must not use data gathered in another context, including when it was a first party . . ."?  Or something like that?

You had previously proposed: "Use of this data outside the first party context is tracking and subject to third party rules for tracking, as outlined in Section 5." but I can't tell from the wiki where that sentence was supposed to go.

Since I'm fairly sure you all are trying to accomplish the same thing, I really hope we can merge these options.

On Jun 24, 2014, at 3:52 PM, Alan Chapell <achapell@chapellassociates.com<mailto:achapell@chapellassociates.com>> wrote:

Hi Walter -

This language doesn't seem to address a first party acting in a third
party context. Was that by design?

I strongly support re-inserting the language around first parties not
being able to use data outside the Context in which it was collected.

Alan

On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>> wrote:

On 24/06/2014 17:57, Ninja Marnau wrote:

Hi John, hi Mike,

we wil probably start a Call for objections on the topic of context
separation this wee. Could you take a look at Walter's proposal to see
whether it does reflect your text for data append and first parties: "A
Party MUST NOT use data gathered while a 1st Party when operating as a
3rd Party.²

Here is the link to Walter's text:

https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_i
n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_any_t
ype_of_party

Mike, John and I have had a fruitful discussion, which resulted in a
more precise wording of what I wanted to achieve and I have updated the
text accordingly to:

"... the third party MUST NOT use data gathered in another context about
the user, other than with their explicit consent or for permitted uses
as defined within this recommendation."

I feel this is a make-or-break issue for the compliance specification
which on top of the privacy issue also has competition implications. A
strong separation between 1st and 3rd party roles is a must for this
compliance specification to be credible.

Regards,

Walter

Received on Tuesday, 24 June 2014 20:11:42 UTC