RE: ISSUE-219 (context separation)

Hash: SHA1

Hi Shane,

I am with Justin on this pone, “implied consent” is hard to justify especially when the user in unaware that their agreement has been assumed and by whom. That is the reason for the “explicit” adjective, though “prior” works also.


From: Justin Brookman []
Sent: 24 June 2014 21:20
To: Shane M Wiley
Cc: Mailing List
Subject: Re: ISSUE-219 (context separation)

Certainly, any party can get an exception to the DNT request, and signal back to the user a TSV of "C" indicating "A tracking status value of C means that the origin server believes it has received prior consent for tracking this user, user agent, or device, perhaps via some mechanism not defined by this specification, and that prior consent overrides the tracking preference expressed by this protocol."

I suspect arguing implicit consent would be challenging (!), but a first party could require that users consent to give an DNT exception as a condition of service (if legally allowed in a particular jurisdiction), or otherwise ask users if it's OK for the company to track or customize content/ads on other websites.

On Jun 24, 2014, at 4:10 PM, Shane M Wiley <> wrote:

Wouldn’t many first parties be able to argue they have user consent (implied or explicit) to do this thus trumping this provision?  If yes, then perhaps this isn’t an issue as 1st parties will still be able to use data collected in the 1st party context in a 3rd party context (use only; all collection is still covered by DNT).

- - Shane

From: Justin Brookman []
Sent: Tuesday, June 24, 2014 1:05 PM
To: Alan Chapell
Subject: Re: ISSUE-219 (context separation)

I think Walter's language is trying to accomplish what you want.  When he says "the third party must not use data gathered in another context," I think "another context" logically includes all first-party when that party was previously a first party.

Would you prefer to say:

"the third party must not use data gathered in another context, including when it was a first party . . ."?  Or something like that?

You had previously proposed: "Use of this data outside the first party context is tracking and subject to third party rules for tracking, as outlined in Section 5." but I can't tell from the wiki where that sentence was supposed to go.

Since I'm fairly sure you all are trying to accomplish the same thing, I really hope we can merge these options.

On Jun 24, 2014, at 3:52 PM, Alan Chapell <> wrote:

Hi Walter -

This language doesn't seem to address a first party acting in a third
party context. Was that by design?

I strongly support re-inserting the language around first parties not
being able to use data outside the Context in which it was collected.


On 6/24/14 3:29 PM, "Walter van Holst" <> wrote:

On 24/06/2014 17:57, Ninja Marnau wrote:

Hi John, hi Mike,

we wil probably start a Call for objections on the topic of context
separation this wee. Could you take a look at Walter's proposal to see
whether it does reflect your text for data append and first parties: "A
Party MUST NOT use data gathered while a 1st Party when operating as a
3rd Party.²

Here is the link to Walter's text:

Mike, John and I have had a fruitful discussion, which resulted in a
more precise wording of what I wanted to achieve and I have updated the
text accordingly to:

"... the third party MUST NOT use data gathered in another context about
the user, other than with their explicit consent or for permitted uses
as defined within this recommendation."

I feel this is a make-or-break issue for the compliance specification
which on top of the privacy issue also has competition implications. A
strong separation between 1st and 3rd party roles is a must for this
compliance specification to be credible.



Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.3.26.5094 -
Charset: utf-8


Received on Wednesday, 25 June 2014 09:30:52 UTC