Hi Nick,

 

I just noticed that in the TCS Working Draft,  3.3 Third Party Compliance, item 2 says:

2.that party MUST NOT use data about previous network interactions in which it was a third party to the user action.

 

Surely that text does not correspond to the chairs’ decision on issue-219 i.e. Option B (or 2), where the text is:

the third party MUST NOT use data collected in another context about the user, including when that party was a first party.

To correspond with the decision the current TCS text should be changed to:

2. that party MUST NOT use data about previous network interactions in which it was a party to the user action.

 

 

Mike

 

 

> -----Original Message-----
> From: Nick Doty [mailto:npdoty@w3.org]
> Sent: 18 March 2015 01:24
> To: David Singer
> Cc: fielding@gbiv.com; public-tracking@w3.org
> Subject: Re: [TCS] comments on 17 Feb 2015 editors draft
>
> *** gpg4o | Unknown Signature from 40203EE90BBAB306 1 10 01 1426641834
> 9 ***
>
> On Mar 16, 2015, at 3:36 PM, David Singer <singer@apple.com> wrote:
> >
> >> On Mar 16, 2015, at 15:08 , Nick Doty <npdoty@w3.org> wrote:
> >>
> >>>> 7. Legal Compliance
> >>>>
> >>>> Notwithstanding anything in this recommendation, a party MAY collect,
> use,
> >>>> and share data required to comply with applicable laws, regulations, and
> >>>> judicial processes.
> >>>
> >>> I still think this section is silly, but *shrug* ... Normally, I would
> >>> expect such a party to be non-compliant due to powers that be, rather
> >>> than compliant by escape clause.
> >>
> >> I believe I am also in the *shrug* category on this particular point, but I
> believe we settled on this language because some people in the Working Group
> found it important and some people in the Working Group didn't care.
> >
> > As I said before, I think we’re confusing two things here.
> >
> > a) If laws, regulations or a judicial process force me to do something other
> than this compliance spec., should I do them?
> >   That’s the silly question: of course.
> >
> > b) Having done what they require, can I still claim compliance with the
> specification?
> >   That’s what this paragraph seems to allow (‘MAY’). I think we should say
> nothing, or even have a track status for ‘he MADE me do it’. However, as we
> know, you can be forced to do something and also forced not to admit you are
> doing it.
> >
> > I therefore tend to think that that ‘MAY’ above should be changed; ‘laws,
> regulations and judicial processes take precedence over this specification’ (you
> don’t say!)
>
> I think the expressed problem with that is that it meant that if an organization
> were occasionally compelled by legal process to share information that the
> organization would generally be prohibited from sharing while claiming
> compliance with this document, then that organization could never claim
> compliance.
>
> While the idea of a tracking status value for compelled disclosure is interesting
> (cf. HTTP status code 451), I'm not sure it would be very meaningful for users
> since in many cases of disclosure, the site wouldn't know ahead of time (or at
> the time that the tracking status is checked) whether data would subsequently
> be disclosed.
>
> Nick