RE: [TCS] comments on 17 Feb 2015 editors draft

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Nick,

I just noticed that in the TCS Working Draft,  3.3 Third Party Compliance, item 2 says:
2.that party MUST NOT use data about previous network interactions in which it was a third party to the user action.

Surely that text does not correspond to the chairs’ decision on issue-219 i.e. Option B (or 2), where the text is:
the third party MUST NOT use data collected in another context about the user, including when that party was a first party.
To correspond with the decision the current TCS text should be changed to:
2. that party MUST NOT use data about previous network interactions in which it was a party to the user action.


Mike


> -----Original Message-----
> From: Nick Doty [mailto:npdoty@w3.org]
> Sent: 18 March 2015 01:24
> To: David Singer
> Cc: fielding@gbiv.com; public-tracking@w3.org
> Subject: Re: [TCS] comments on 17 Feb 2015 editors draft
>
> *** gpg4o | Unknown Signature from 40203EE90BBAB306 1 10 01 1426641834
> 9 ***
>
> On Mar 16, 2015, at 3:36 PM, David Singer <singer@apple.com> wrote:
> >
> >> On Mar 16, 2015, at 15:08 , Nick Doty <npdoty@w3.org> wrote:
> >>
> >>>> 7. Legal Compliance
> >>>>
> >>>> Notwithstanding anything in this recommendation, a party MAY collect,
> use,
> >>>> and share data required to comply with applicable laws, regulations, and
> >>>> judicial processes.
> >>>
> >>> I still think this section is silly, but *shrug* ... Normally, I would
> >>> expect such a party to be non-compliant due to powers that be, rather
> >>> than compliant by escape clause.
> >>
> >> I believe I am also in the *shrug* category on this particular point, but I
> believe we settled on this language because some people in the Working Group
> found it important and some people in the Working Group didn't care.
> >
> > As I said before, I think we’re confusing two things here.
> >
> > a) If laws, regulations or a judicial process force me to do something other
> than this compliance spec., should I do them?
> >   That’s the silly question: of course.
> >
> > b) Having done what they require, can I still claim compliance with the
> specification?
> >   That’s what this paragraph seems to allow (‘MAY’). I think we should say
> nothing, or even have a track status for ‘he MADE me do it’. However, as we
> know, you can be forced to do something and also forced not to admit you are
> doing it.
> >
> > I therefore tend to think that that ‘MAY’ above should be changed; ‘laws,
> regulations and judicial processes take precedence over this specification’ (you
> don’t say!)
>
> I think the expressed problem with that is that it meant that if an organization
> were occasionally compelled by legal process to share information that the
> organization would generally be prohibited from sharing while claiming
> compliance with this document, then that organization could never claim
> compliance.
>
> While the idea of a tracking status value for compelled disclosure is interesting
> (cf. HTTP status code 451), I'm not sure it would be very meaningful for users
> since in many cases of disclosure, the site wouldn't know ahead of time (or at
> the time that the tracking status is checked) whether data would subsequently
> be disclosed.
>
> Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJVDcXoAAoJEHMxUy4uXm2JjfQIAK+m8jctAKOanKpZ1O9Y/Yrv
dIJ0OdVQ1qNC0bxNj80vORmqOm/ywJm0WZIj3dw/NngJMC1VaVV/TWf4r5UgbukF
SacIBssGtlB73rH/7Zs0qAsxM9Vx7kXXtOBkmfPaAFWl8xppWDj0LAqMWLfual9z
9EYYgpHQKl+LQU+KEIcBBzPRh8orU4+oF3FLKV/gtZVbESKYE+qfyHfXSlxu9BxY
O3vj2qDi+J4i9uJwksiKnalWIyRRkck2LM8b/FhZHpfSjysxE1rdPmGFYEuMMadr
BokCCVrsMuyIR2cC3lNUD5wbxth91G/1F2nezVBmv39bSOtiv2UsAGPxZd8g+uQ=
=RX+i
-----END PGP SIGNATURE-----