- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 24 Apr 2017 13:15:03 -0700
- To: "Aleecia M. McDonald" <aleecia@aleecia.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
> On Apr 24, 2017, at 10:43 AM, Aleecia M. McDonald <aleecia@aleecia.com> wrote: > > I was in the queue but we timed out, so a few follow up points: > > 1. Just for historic accuracy / trivia, DNT was not always from the beginning to omit first parties. Check the original issue tracker or the early days of the mailing list to find hot debates as to what level of responsibility first parties ought to have. But we are not constitutional scholars so it is moot either way, yes? :-) It just seemed unfair to beat up on Walter when he wasn’t even wrong... I agree, and (in TPE) the DNT signal is about tracking (collecting or using data across multiple distinct contexts) whether or not the service being used is a first party. Hence, it matches how first party sites like Pinterest and a few others have been interpreting the DNT signal even without a standard. > 2. If I understood Shane’s use case correctly today, the flow would be something like this: > User Alice agrees to a site-wide exception for yahoo.com, including flickr.com and other parties that Yahoo lists as related first parties. Yahoo’s third parties are imported by reference — Yahoo adds a URL to a list maintained by an ad network. Alice’s consent covers all of the ad network’s partners. > > User Bob comes along a week later, and the ad network’s partners have changed. Bob also consents, but he consents to a different list of partners, as he would know if he found Yahoo’s list of third parties which includes the ad network’s list of current partners. > > Here’s my question. When Alice visits right after Bob, with the new ad network’s partners, does her prior consent omit the newly added partners? Or does Yahoo believe she has consented to all ad network partners that ever could be, even into the future? > > (Basically, I’m asking about caching and wildcard consent.) > > Thanks for any clarifications here. > > Aleecia > Well, I'd say that Alice's consent applies to whatever Alice (when properly informed) has consented. If the page asked for consent for partners X and Z as linked to by Y! for some reasonable length of time, then the only consent Alice has given is for Y! -> X and Y! -> Z for the duration of time described. If, however, the page asked Alice's consent for all links Y! -> B wherein B is a certified member of Bob's Big Brother network and subject to a specific edition of policies as published by BBB, and Alice gave that consent, then why should Alice care whether the partners change, so long as they remain within the scope of consent? Keep in mind that it is the site having or using the data (not the user and not the browser) which is responsible for ensuring the data use/storage remains within the scope of consent. I know some folks have argued that users cannot consent when they don't know the legal identity of the business to which the information has been provided. I don't believe there is any rational basis for that opinion, given how everyday users provide their own identity on every non-cash purchase in the realm of retail and restaurant sales to whatever salesperson they encounter, and rarely have any idea who employs the salesperson, who owns that establishment, and to what extent legal entities might be intertwined across multiple establishments. I prefer to think that their consent is limited to purpose, limited to some extent by industry things like PCI credit card compliance, and limited overall by laws and regulations. Not by the user's ability to remember who owns what. Cheers, ...Roy
Received on Monday, 24 April 2017 20:15:33 UTC