ACTION-116 ISSUE-123 Re: Third parties should not pretend to be first parties from Rigo Wenning on 2012-03-07 (public-tracking@w3.org from March 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 07 Mar 2012 11:26:38 +0100
To: public-tracking@w3.org
Cc: Tom Lowenthal <tom@mozilla.com>
Message-ID: <1565725.9tYWuIi0B0@hegel.sophia.w3.org>
Hi all, 

as the discussion was inconclusive so far, let me start again: 

1/ The wording must make clear that in the outsourcing scenario described in "
Exception for Outsourcing"  the intention is to extend the definition of first 
party to its providers under strict conditions. Those were written by David 
Singer and are in line with the EU data controler / data processor 
distinction. We have closed that issue and should not re-open it here. 

2/ As far as I remember, this issue123 was raised in the unregulated context. 
And in such context, the only way to assert that somebody is lying is if there 
is violation of a rule. So we need a rule saying: "third parties MUST NOT 
pretend to be first parties". As a consequence somebody being a third party 
and pretending to be a first party is not compliant with the DNT system, but 
asserts to be. This makes follow up by regulators easier. And this is it.

Justin was IMHO right to say that outsourced services under the conditions as 
laid out in the compliance spec are NOT third parties in the first place. This 
should go into the non-normative description to avoid future confusion

As a consequence, I would propose the following amended paragraph while 
maintaining the rest of Tom's suggestion: 

<p>> If not covered by an exception like <a 
href="#TypesofTrackingOutsourcing">outsourcing</a>, a third party MUST NOT 
falsely represent themselves as a first party, whether using the methods of 
expression described in [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.</p>

For the non-normative, I would add:

<p>
This section defines high level principles if a third party receives the [DNT-
ON] header. It points to other sections for more details on what to do and 
what not to do. As the DNT-system distinguishes between first and third 
parties and as first parties are privileged, first parties can still collect 
certain data, even if [DNT-ON]. It is clear that a third party should not be 
able to pretend it is a first party in order to obtain the first party's 
privileges. But no principle without exception. A well-defined class of third 
parties who only process data on behalf of the first party is considered a 
first party in this Specification. In fact, third parties fulfilling all 
requirements from <a href="#TypesofTrackingOutsourcing">the outsourcing 
definition</a> can claim to be an extension from the first party and thus do 
not fall under the definition of third party anymore. In case those special 
outsourcing partners receive an HTTP request, they can claim to be part of the 
first party. All others are third parties and shall not pretend otherwise.
</p>


BTW, looking at the compliance spec, I have doubts about the numbering and 
also note that something has broken Opera as it doesn't produce the outline 
anymore.


Best, 

Rigo

On Wednesday 29 February 2012 14:48:52 Tom Lowenthal wrote:
> ACTION-116
> ISSUE-123
> 
> Proposal: add an additional requirement to the TC document in section
> 4.3. This replaces a similar provision which Matthias encouraged me to
> remove from the header spec since it makes more sense in TC than TPE.
> 
> > A third party MUST NOT falsely represent themselves as a first party,
> > whether using the methods of expression described in
> > [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.
> 
> The HTML for 4.3 (up to but not including 4.3.1) with this addition is:
> 
> ~~~~~
> 
> <h3>Compliance by a third party</h3>
> 
>  <p class="note">This section consists of proposed text that is meant to
> address <a
> href="http://www.w3.org/2011/tracking-protection/track/issues/19">ISSUE-19</
> a> and <a
> href="http://www.w3.org/2011/tracking-protection/track/issues/39">ISSUE-39</
> a> and is pending discussion and <strong>[PENDING REVIEW]</strong>.</p>
> 
> <p>If the operator of a third-party domain receives a communication to
> which a [DNT-ON] header is attached:</p>
> <ol>
> <li>that operator MUST NOT collect, share, or use information related to
> that
> communication outside of the Exceptions as defined
> within this standard and any explicitly-granted Exemptions, provided in
> accordance with the requirements of this standard;</li>
> <li> that operator MUST NOT use information about previous communications
> in which the operator was a third party, outside of the explicitly
> expressed Exceptions as defined within this standard;</li>
> <li> that operator [MUST NOT or SHOULD NOT] retain information about
> previous communications in which the operator was a third party, outside
> of the explicitly expressed Exceptions as defined within this standard.</li>
> </ol>
> 
> <p>> A third party MUST NOT falsely represent themselves as a first
> party, whether using the methods of expression described in
> [[!TRACKING-PREFERENCE-EXPRESSION]] or otherwise.</p>
> 
> ~~~~~
Received on Wednesday, 7 March 2012 10:27:08 UTC