Re: Issue 13 (was Re: Issues for Monday Call)

> On Apr 24, 2017, at 10:43 AM, Aleecia M. McDonald <aleecia@aleecia.com> wrote:
> 
> I was in the queue but we timed out, so a few follow up points:
> 
> 1. Just for historic accuracy / trivia, DNT was not always from the beginning to omit first parties. Check the original issue tracker or the early days of the mailing list to find hot debates as to what level of responsibility first parties ought to have. But we are not constitutional scholars so it is moot either way, yes? :-) It just seemed unfair to beat up on Walter when he wasn’t even wrong...

I agree, and (in TPE) the DNT signal is about tracking (collecting or
using data across multiple distinct contexts) whether or not the service
being used is a first party.  Hence, it matches how first party sites
like Pinterest and a few others have been interpreting the DNT signal
even without a standard.

> 2. If I understood Shane’s use case correctly today, the flow would be something like this:
>  User Alice agrees to a site-wide exception for yahoo.com, including flickr.com and other parties that Yahoo lists as related first parties. Yahoo’s third parties are imported by reference — Yahoo adds a URL to a list maintained by an ad network. Alice’s consent covers all of the ad network’s partners.
> 
>  User Bob comes along a week later, and the ad network’s partners have changed. Bob also consents, but he consents to a different list of partners, as he would know if he found Yahoo’s list of third parties which includes the ad network’s list of current partners.
> 
>  Here’s my question. When Alice visits right after Bob, with the new ad network’s partners, does her prior consent omit the newly added partners? Or does Yahoo believe she has consented to all ad network partners that ever could be, even into the future?
> 
> (Basically, I’m asking about caching and wildcard consent.)
> 
> Thanks for any clarifications here. 
> 
>  Aleecia
> 

Well, I'd say that Alice's consent applies to whatever Alice (when
properly informed) has consented.

If the page asked for consent for partners X and Z as linked to by Y! for
some reasonable length of time, then the only consent Alice has given is
for Y! -> X and Y! -> Z for the duration of time described.

If, however, the page asked Alice's consent for all links Y! -> B wherein
B is a certified member of Bob's Big Brother network and subject to a specific
edition of policies as published by BBB, and Alice gave that consent, then
why should Alice care whether the partners change, so long as they remain
within the scope of consent?  Keep in mind that it is the site having or
using the data (not the user and not the browser) which is responsible
for ensuring the data use/storage remains within the scope of consent.

I know some folks have argued that users cannot consent when they don't
know the legal identity of the business to which the information has been
provided.  I don't believe there is any rational basis for that opinion,
given how everyday users provide their own identity on every non-cash
purchase in the realm of retail and restaurant sales to whatever salesperson
they encounter, and rarely have any idea who employs the salesperson,
who owns that establishment, and to what extent legal entities might
be intertwined across multiple establishments.  I prefer to think that
their consent is limited to purpose, limited to some extent by industry
things like PCI credit card compliance, and limited overall by laws and
regulations.  Not by the user's ability to remember who owns what.

Cheers,

...Roy

Received on Monday, 24 April 2017 20:15:33 UTC