Re: ISSUE-219 (context separation) from John M. Simpson on 2014-06-24 (public-tracking@w3.org from June 2014)

From: John M. Simpson <john@consumerwatchdog.org>
Date: Tue, 24 Jun 2014 16:15:44 -0400
To: Alan Chapell <achapell@chapellassociates.com>
Cc: Walter van Holst <walter.van.holst@xs4all.nl>, "<public-tracking@w3.org>" <public-tracking@w3.org>
Message-Id: <4EF050D1-B7DA-4185-B7BC-A7282F057527@consumerwatchdog.org>

Alan,

My understanding is that this language would in fact stop an entity using data it gathered as a first party -- one context -- when acting as a third party -- a different context.

That certainly is our intent. How should tweak to make this crystal clear?
Regards,
John

Sent from my iPhone
John M. Simpson
Privacy Project Director
Consumer Watchdog

> On Jun 24, 2014, at 3:52 PM, Alan Chapell <achapell@chapellassociates.com> wrote:
> 
> Hi Walter -
> 
> This language doesn't seem to address a first party acting in a third
> party context. Was that by design?
> 
> I strongly support re-inserting the language around first parties not
> being able to use data outside the Context in which it was collected.
> 
> Alan
> 
> 
> 
> 
> 
>> On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> wrote:
>> 
>>> On 24/06/2014 17:57, Ninja Marnau wrote:
>>> Hi John, hi Mike,
>>> 
>>> we wil probably start a Call for objections on the topic of context
>>> separation this wee. Could you take a look at Walter's proposal to see
>>> whether it does reflect your text for data append and first parties: "A
>>> Party MUST NOT use data gathered while a 1st Party when operating as a
>>> 3rd Party.²
>>> 
>>> Here is the link to Walter's text:
>>> 
>>> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_i
>>> n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_any_t
>>> ype_of_party
>> 
>> Mike, John and I have had a fruitful discussion, which resulted in a
>> more precise wording of what I wanted to achieve and I have updated the
>> text accordingly to:
>> 
>> "... the third party MUST NOT use data gathered in another context about
>> the user, other than with their explicit consent or for permitted uses
>> as defined within this recommendation."
>> 
>> I feel this is a make-or-break issue for the compliance specification
>> which on top of the privacy issue also has competition implications. A
>> strong separation between 1st and 3rd party roles is a must for this
>> compliance specification to be credible.
>> 
>> Regards,
>> 
>> Walter
> 
> 
>

Received on Tuesday, 24 June 2014 20:16:20 UTC