- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 11 Jun 2014 08:56:29 -0700
- To: Vinay Goel <vigoel@adobe.com>
- Cc: Mike O'Neill <michael.oneill@baycloud.com>, 'Justin Brookman' <jbrookman@cdt.org>, 'W3C DNT Working Group Mailing List' <public-tracking@w3.org>
Yep, what Vinay said. Compliance doesn't change the meaning of DNT:1. Likewise, the service provider definition doesn't change the ability of a first party or the set of sites that party owns -- it only allows the service provider to act on behalf of that first party without being considered a third party (for that data collected as a first party). A service provider to a third party is still going to be a third party. ....Roy On Jun 11, 2014, at 8:23 AM, Vinay Goel wrote: > Hi Mike, > > Can't a clause like that turn a service provider into a "data controller" > by taking actions or making decisions about the data? I'd rather we not > add clauses in to the definition of service provider that requires the > service provider to make decisions on the use of customer's data. It also > conflicts with "(2) ensures that the data is only retained, accessed, and > used as directed by the contractee". > > Justin - in your example, are all of those sites, including News.com, all > part of the same publisher/first-party? If not, what Roy is saying below > is that News.com would be engaged in tracking if it collected data on > Shoes.com to serve an interest-based ad on News.com. > > > -Vinay > > On 6/11/14, 11:11 AM, "Mike O'Neill" <michael.oneill@baycloud.com> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Roy, >> >> Thinking about Justin's concern, would you accept a friendly amendment to >> your service provider definition making it clear that data should not be >> shared outside the context in which it occurred (i.e. our definition of >> tracking), i.e. even if it is only acting at the behest of its >> contractee. >> >> >> (5) ensures that data about a user's activity collected in a context when >> DNT is set will not be shared with parties in other contexts. >> >> >> >> mike >> >>> -----Original Message----- >>> From: Justin Brookman [mailto:jbrookman@cdt.org] >>> Sent: 11 June 2014 15:32 >>> To: Roy T. Fielding >>> Cc: W3C DNT Working Group Mailing List >>> Subject: Re: [ISSUE-206] Service Provider (and related ISSUE-219 >>> question) >>> >>> >>> >>> On Jun 6, 2014, at 2:42 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >>> >>>> On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote: >>>> >>>>> That is Ad X could collect and store data on behalf of Sites 1-300, >>> and then >>> serve targeted ads based on any one of those 300 silos when a user >>> visits Sites >>> 301? As long as the contracts allow this and prohibit use of blended >>> data across >>> silos? >>>> >>>> I don't understand how "serve targeted ads based on" some other site >>> would >>>> be allowed unless both sites are owned by the same first party. >>>> Otherwise, that is tracking: "use of data derived from that activity >>> outside >>>> the context in which it occurred". Note that the definition of >>> tracking >>>> doesn't care whether the tracker is a service provider; it only cares >>>> about the context in which that data was collected. >>>> >>>> ....Roy >>>> >>> >>> It's used outside the context the data was collected, but it's not >>> necessary cross- >>> site tracking data if it's just held on behalf of a publisher, right? >>> So if ADNET is a >>> service provider to Shoes.com, Diapers.com, Hats.com, Social.com, and >>> dozens >>> of other publishers, it can collect target ads on News.com based on any >>> one of >>> those silos (say a retargeted ad for a shoe that the user looked at, or >>> something >>> based on the user's activity on Social.com). Assuming that we adopt >>> your >>> definition of service provider and resolve ISSUE-219 to allow first >>> party data to >>> be used in other contexts. >>> >>> Or am I misinterpreting the service provider language? >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.13 (MingW32) >> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ >> Charset: utf-8 >> >> iQEcBAEBAgAGBQJTmHGxAAoJEHMxUy4uXm2JFTMH/2NzXijICkyoiAvFy53TqY9s >> 6S4sVmC3tQtyxKn4Xd7kC0rPnUW1PhNtArwMMJvADPhg+2/XlXoIAMr3JOgaN6Py >> kDUTBOrWLbnTqaYMh48ZSH8o/N4dnoh+UK1l51ckCALnH8Q4GKeuBXIx3Rszcjm/ >> KVjaXiJaS/o8PWqE+0SoikZxpkMPGGsVGi9VXzhcI/rKOdBJl/SrWdXQB7Dc4eif >> rCAqWvSZuqw/QRe3obgEKG0fw88UVaqAZqcDP5wJ42GUQ4FvmH0PNB/wSYZJLA8k >> EugPIAo4aY5HnrJAZnpKynqcWQLH/MmFVa9m38D1jvvtQqe2wnl9XEo78NEtbwo= >> =QhkD >> -----END PGP SIGNATURE----- >> >> >
Received on Wednesday, 11 June 2014 15:56:51 UTC