W3C

Results of Questionnaire [Call for Objections] Context Separation: Limitations on use in third party context

The results of this questionnaire are available to anybody. In addition, answers are sent to the following email address: team-tracking-chairs@w3.org

This questionnaire was open from 2014-06-25 to 2014-07-09.

7 answers have been received.

Jump to results for question:

  1. Objections to Option A
  2. Objections to Option B

1. Objections to Option A

Option A

If a third party receives a DNT: 1 signal, then:

1. the third party MUST NOT collect, retain, share, or use data related to the network interaction as part of which it received the DNT: 1 signal outside of the permitted uses as defined within this recommendation and any explicitly-granted exceptions provided in accordance with the requirements of this recommendation;

2. the third party MUST NOT use data about previous network interactions in which it was a third party, outside of the permitted uses as defined within this recommendation and any explicitly-granted exceptions, provided in accordance with the requirements of this recommendation.

Details

Responder Objections to Option A
Walter van Holst Option A is not so much objectionable as woefully inadequate without the addition of Option B. Without any obligation not to use data it has collected in a non-third party quality, this standard would create a massive loophole for privacy invasion as well as upset the playing field in the advertising ecosystem in favour of a few established large players.
Xuemei Yan What is the Third party? There should be an explicit definition of the third party? The third party means a party who provide service or advertisement indirectly through the First party? The market partner of the first party is a third party?
Mike O'Neill This would let first-party sites use data they had collected in the first-party context in other contexts, implicitly allowing them to collect data in the other contexts. In order to do this they have to collect the UID needed to single out the user and therefore also the other contextual data that can be used for profiling or retargeting.
If first-parties need to track users in other contexts they can easily ask for a web-wide UGE or use an OOBC.
It is wrong that large first-parties get carte blanche to track irrespective of DNT, giving them an unfair advantage over companies who take action to respect it.
Roy Fielding I object to this text because it ignores the definition of tracking that informs DNT:1 and attempts to proscribe data collection in general that has nothing to do with tracking and does not have the effect of tracking the user activity.

For example, bullet 1 effectively forbids contextual advertising placed by a third party even though the group has consistently viewed that as not tracking when information about the user is not retained. Note that contextual advertising is not a permitted use because it is not tracking (and thus doesn't need to be permitted).

This entire section should be dropped and replaced with requirements on when tracking is permitted and when tracking data may be retained, since that kind of phrasing would be more consistent with DNT:1 and get us beyond the discussion resolved by ISSUE-5. It would also remove the dependency on "third party" and the associated false arguments that DNT doesn't apply to first parties.

I also object to the second bullet because it is absurd. It says that the third party can't use data about previous network interactions. What if that data has nothing to do with the current interaction? What if it has nothing to do with the user? Is DNT:1 supposed to have an effect on stupid hit counters that merely increment whenever anyone performs a GET on the page? What about content that is inserted by a third party based on information provided by third parties (e.g., twitter frames, blog titles, etc.)? This is why we should not redefine tracking within every requirement of TCS.
John Simpson I object to this option because it would apparently could allow a party to use information collected in one context, as a 1st party, in another context, as a 3rd party.

It would unfairly advantage large 1st party entities when they are acting as 3rd parties.

A user who has enable DNT:1 understands that a 1st party is gathering data for use while engaged in that interaction. The user has no reason to expect the data will be used later in another interaction when the entity has functioning as 3rd party.
Chris Pedigo
Rob Sherman

2. Objections to Option B

Option B

Text would replace existing text in third-party compliance section (striking third from the relevant clause).

... the third party MUST NOT use data collected in another context about the user, including when that party was a first party.

Details

Responder Objections to Option B
Walter van Holst
Xuemei Yan
Mike O'Neill
Roy Fielding I am guessing that the resulting text (after option B is applied) would be:

When a third party to a given user action receives a DNT:1 signal in a related network interaction:

1. that party MUST NOT collect, share, or use data related to that interaction;
2. the third party MUST NOT use data collected in another context about the user, including when that party was a first party.


As above, I object to this text because it ignores the definition of tracking that informs DNT:1 and attempts to proscribe data collection in general that has nothing to do with tracking and does not have the effect of tracking the user activity.

For example, bullet 1 effectively forbids contextual advertising placed by a third party even though the group has consistently viewed that as not tracking when information about the user is not retained. Note that contextual advertising is not a permitted use because it is not tracking (and thus doesn't need to be permitted). I know that this option does not change that existing text, but I don't want either text to be considered resolved by this CfO. AFAIK, the existing text never reflected a consensus opinion of the WG.

This entire section should be dropped and replaced with requirements on when tracking is permitted and when tracking data may be retained, since that kind of phrasing would be more consistent with DNT:1 and get us beyond the discussion resolved by ISSUE-5. It would also remove the dependency on "third party" and the associated false arguments that DNT doesn't apply to first parties.

I also object to the loose way in which this is targeted as "in a related network interaction". How is the origin server going to determine what that means? If it is supposed to mean *this interaction*, then just say that. Furthermore, how is the server going to determine if it has data collected about the user from another network interaction when bullet 1 forbids it from using data from this network interaction to identify that user?
John Simpson While I believe a a strong case could be made that the definition of tracking would prevent a 3rd party from using data collected while acting as a 1st party, because it would be different contexts, it seems necessary to make this limitation crystal clear. I therefore strongly support option B.
Chris Pedigo The OPA objects to Option B because it would impose new requirements on 1st party data, which is collected via a direct relationship with the consumer. The working group has developed a DNT standard that would give consumers choice over data collection by unknown, 3rd parties. 1st parties provide consumer-facing notices such as a privacy policy which provides transparency about the collection and use of consumer data. Consumers have the fundamental ability to choose which sites to visit. If consumers aren't happy with the collection or use of their data by the website or service they are using, then they can choose not to use it as there is a direct relationship between consumer and first party. DNT should be a complementary tool for consumer choice by providing the persistent ability for consumers to opt out of tracking by unknown 3rd parties, about which they have little to no knowledge and with whom they have no relationship. But DNT is not the only tool providing consumer choice and it should not supplant current notice and choice regimes where they exist, are effective, and are enforceable by law. For these reasons, the W3C TPWG should refrain from placing further restrictions on 1st party data.
Rob Sherman We strongly oppose Option B. This approach is at odds with the basic approach that has been a common understanding of our work for the past several years: That DNT is fundamentally about giving people control over COLLECTION of their information by entities they don't know and aren't interacting with, and which they can't otherwise easily control. As the working group has previously concluded, “Working Group members for a long time have recognized a logical distinction between companies with who the user has a direct relationship (at least in the context of that relationship) and those with which she doesn’t.” Prohibiting parties that people have intentionally built relationships with from providing benefits to those people based on data they have intentionally provided does not fulfill that goal.

For example, Facebook offers social plugins that dynamically personalize people's experiences when they are visiting other websites, if they are logged into Facebook at the time. To do this, we use existing data that a person previously shared with us to show that person the kind of social information that she wants to receive and that helps us avoid showing her another person's information instead. We believe it is possible to do this — to customize a person's experience based on data they previously provided to us — without building additional profiles about that person's third-party browsing behavior, if they have opted out. That is, it is reasonable to assume that if someone has enabled DNT, Facebook has agreed to honor it, and they have not given Facebook separate consent, they would not like Facebook to build a profile of their web browsing behavior. But there has not been any evidence presented in the working group that they would like Facebook not to provide services based on information they already intend for Facebook to have, if Facebook can do so without additional storage of that network interaction for non-permitted uses. (If someone does want this, they can use the control in their account settings to turn it off.) We worry this would fundamentally frustrate the expectations of people who want to receive services from Facebook across the web, and that it would not be intuitive to people that DNT is preventing them from receiving these benefits. Instead, they would just think that services they are used to receiving are “broken.”

Also, this language is drafted so broadly that it claims to apply not JUST to use of information in a “third-party context” but to ANY other context. For example, if a user provided his or her email address to Company while using Company's website, and then Company saw that user as a third-party with DNT:1 set, this language would appear to prohibit Company from sending that user an email (because the restriction is not just about using the data as a third-party but about using the data in “another context”). This kind of retroactive effect is unpredictable and does not make sense, particularly when the person could just as easily opt-out, close her account with the first party, or otherwise ask the first party not to use the information in whatever way she is concerned about. (And, to the extent that first parties don't offer those kinds of controls, that seems to be an issue beyond the scope of DNT.)

There have been two main arguments in favor of Option B, but both can be addressed in other ways.

First, some have suggested that allowing use of first-party data in a third-party context will lead to additional information collection, but this isn't correct. It is inherently the case that third parties may receive cookie contents, IP addresses, or other data as a part of a third-party interaction, and they may use this information for purposes permitted in the compliance standard. The standard might specify that this information has to be discarded promptly or used only for permitted purposes, but it will still exist. Given that, it seems unreasonable to prohibit a party from showing information to the user that the user knows that first party has, when a more tailored result would be to specify as a part of a data minimization obligation that the party could not store that information for future use, except as otherwise permitted in the specification.

Second, a few people have argued that without a restriction on using first-party data in a third-party contexts, first parties will be able to show retargeted ads. In general, this should not be the case, since first parties ordinarily use third-party ad companies to deliver these ads, and in many cases the process of sharing that information with the third party would violate the restriction in Option A. Where it does not — for example, if the first party delivered its own ad itself on a website where it was a third party, which is a rare edge case — that would seem to be predominantly a user experience concern, not a tracking concern. That is, in this case no additional information would have been collected or disclosed while the company was a third party, but the consumer might be annoyed that the company decided to show a retargeted ad to a person who ad expressed a privacy preference. Given the first-party status, the consumer would know who is doing this and could close his account or take other steps against the first party.

If the working group decides that its concern is not about data collection but about the display of behavioral advertising, we should solve the problem squarely — with a restriction that relates specifically to situations where the primary purpose is to display a behavioral ad — rather than impose a broad restriction that could make it harder for people to get services they want to receive and have unintended broader effects.

More details on responses

  • Walter van Holst: last responded on 25, June 2014 at 21:07 (UTC)
  • Xuemei Yan: last responded on 26, June 2014 at 08:24 (UTC)
  • Mike O'Neill: last responded on 7, July 2014 at 11:21 (UTC)
  • Roy Fielding: last responded on 9, July 2014 at 21:59 (UTC)
  • John Simpson: last responded on 9, July 2014 at 23:22 (UTC)
  • Chris Pedigo: last responded on 10, July 2014 at 01:38 (UTC)
  • Rob Sherman: last responded on 10, July 2014 at 03:30 (UTC)

Non-responders

The following persons have not answered the questionnaire:

  1. Bert Bos <bert@w3.org>
  2. David Singer <singer@apple.com>
  3. Ian Fette <ifette@google.com>
  4. Frank Wagner <frank.wagner@telekom.de>
  5. Theresa O'Connor <eoconnor@apple.com>
  6. Bryan Sullivan <blsaws@gmail.com>
  7. Adrian Bateman <adrianba@microsoft.com>
  8. Carl Cargill <cargill@adobe.com>
  9. Jeff Jaffe <jeff@w3.org>
  10. Wendy Seltzer <wseltzer@w3.org>
  11. Shane Wiley <wileys@yahoo-inc.com>
  12. Joseph Hall <joe@cdt.org>
  13. Nick Doty <npdoty@ischool.berkeley.edu>
  14. Jing Wu <wujing@ritt.cn>
  15. Aleecia McDonald <w3c@aleecia.com>
  16. Amy Colando <acolando@microsoft.com>
  17. Sue Glueck <Sue.Glueck@microsoft.com>
  18. Rob van Eijk <rob@blaeu.com>
  19. Heather West <heatherwest@google.com>
  20. Sean Harvey <sharvey@google.com>
  21. Kennie Kwong <kk7992@att.com>
  22. Susan Israel <sisrael@loeb.com>
  23. Dan Caprio <dcaprio@mckennalong.com>
  24. Simon Krauss <s.krauss@cablelabs.com>
  25. Euan Grant <Euan.Grant@microsoft.com>
  26. Matthias Schunter <matthias.schunter@intel.com>
  27. Rudy Brioche <rudy_brioche@comcast.com>
  28. Brendan Riordan-Butterworth <brendan@iabtechlab.com>
  29. Neil Bowman <neil.bowman@bbc.com>
  30. Thomas Schauf <schauf@bvdw.org>
  31. Jessica Li <jessicadli@tencent.com>
  32. Bin Hu <BH526R@att.com>
  33. Brad Kulick <kulick@yahoo-inc.com>
  34. Yuanzhou Zhang <berneyzhang@tencent.com>
  35. Yue Min <minyue@baidu.com>
  36. Qu Chao <chappellqu@tencent.com>
  37. Jason Novak <jnovak@apple.com>
  38. Chao Bian <chaobian@tencent.com>
  39. Vincent Toubiana <v.toubiana@free.fr>
  40. Alan Turransky <alan@iab.net>
  41. Horace Zhou <horacezhou@tencent.com>
  42. Yangguang Zhao <zhaoyangguang@mail.ritt.com.cn>
  43. Heather West <heather@mozilla.com>
  44. Nataliia Bielova <nataliia.bielova@inria.fr>
  45. Mathieu Cunche <mathieu.cunche@inria.fr>
  46. Alanna Gombert <alanna@iabtechlab.com>

Send an email to all the non-responders.


Compact view of the results / list of email addresses of the responders

WBS home / Questionnaires / WG questionnaires / Answer this questionnaire

Report issues on GitHub project w3c/wbs-design (preferred) or by mail to sysreq.