RE: Considering browser vendor as a third party

Jonathan,

They collect the identifier only for delivery of the service and move to unlinkability within a short period of time – I thought that outcome was provided for in your proposal.  Are you saying no identifiers, of any type, may be used in your proposal?

- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 10, 2012 3:06 PM
To: Shane Wiley
Cc: Justin Brookman; public-tracking@w3.org
Subject: Re: Considering browser vendor as a third party



On Sunday, June 10, 2012 at 2:37 PM, Shane Wiley wrote:

Jonathan,



For the examples I listed, I’ve seen a step in either install or first use of the browser where I’ve been asked to consider participation (research panel, phishing scanning) and/or how I would like a certain option configured (default search engine for example).  With respect to the “proxy traffic” example - I had a Kindle Fire for a brief time and they “collect” very little information, for a limited period of time, and only retain aggregate (unlinkable) data – but was NOT shown this information in a separate “pop-up” during first use (has that changed – no longer have the Kindle Fire so I can’t check).
Ok, so we're on the same page—some products in this space get explicit consent ex ante, while many (most? almost all?) don't.

I would have thought based on your proposal they would be in the clear for not needing consent based on the limits they place on their business practices (and their PP is crystal clear on this feature for anyone with questions).  Based on your current proposal, if you were to treat as a 3rd party (non-service provider), would they require opt-in consent based on their limited use and retention of the data collected – or would their approach be covered under your grace period?
These products collect a user's browsing history in connection with a unique identifier.  Moreover, the identifier is in some instances an unchangeable hardware value or deliberately linked to a user's identity.  The practices plainly exceed "protocol information" as defined in the compromise proposal.

- Shane



From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Sunday, June 10, 2012 1:37 PM
To: Shane Wiley
Cc: Justin Brookman; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Considering browser vendor as a third party



Shane,



Could you describe the sort of "active user step" you have in mind during installation or first run?  I've used many browsers that proxy traffic or submit telemetry; very few presented an explicit choice ex ante.  I'm sure all included a provision about it in their terms of use or privacy policy—but I thought we recognized that, in general, terms of use/privacy policy would not be sufficient for out-of-band consent.



Thanks,

Jonathan

On Sunday, June 10, 2012 at 1:13 PM, Shane Wiley wrote:

Good points Justin and Vincent – but when I said “first-party” I should have gone further to explain why I stated that position - I believe these are “out-of-band consent” scenarios (downloaded software vs. online surfing experience).  If a UA were to activate traffic funneling to their servers without notice/user interaction, then I would argue they do NOT have user consent for those activities.  Most data funneling activities I’ve witnessed though (toolbar research panels, phishing scanning, default search engine, etc.) all required an active user step in the installation or first-use flows.  Perhaps capturing that perspective (user consent) would suffice (similar to ISSUE-143).



- Shane



From: Justin Brookman [mailto:jbrookman@cdt.org]
Sent: Sunday, June 10, 2012 8:33 AM
To: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Considering browser vendor as a third party



We should also consider what to do about cloud-based browsers --- browsers that route web requests through the browser company's own servers in order to render pages more quickly and efficiently (Amazon Fire, RIM, Opera I think all do this).  In this sense, the browser's servers are more like ISPs --- they functionally have to receive the information to operate, but they're also not the end party with which the user is trying to communicate, and a user with DNT on (or otherwise!) might not want and expect the company to building profiles and/or retaining information about their browsing habits.  In these examples, I would consider the browser company's servers to be third-party servers, but they may collect, use, and retain the information per the permitted uses (which do not squarely address this scenario) or the two-week grace period.  Not sure we need to expand the permitted uses, since any retention beyond two weeks should really fall into one of the existing buckets.

________________________________

From: Vincent Toubiana [mailto:v.toubiana@free.fr]
To: Shane Wiley [mailto:wileys@yahoo-inc.com]
Cc: Rigo Wenning [mailto:rigo@w3.org], public-tracking@w3.org<mailto:public-tracking@w3.org> [mailto:public-tracking@w3.org], David Singer [mailto:singer@apple.com], Tom Lowenthal [mailto:tom@mozilla.com], TOUBIANA, VINCENT (VINCENT) [mailto:Vincent.Toubiana@alcatel-lucent.com]
Sent: Sun, 10 Jun 2012 09:52:40 -0400
Subject: Re: Considering browser vendor as a third party

Shane,

I believe Justin explanation on this point makes sens, we're not
interacting *with* the browser, we're interacting with a 1st party
website *through* the browser. Hence this question might not be out of
scope.

Vincent
> I agree the question is a valid one. But as the group has already discussed "meaningful interaction" as a condition to move a widget from a 3rd party context to a 1st party context, why wouldn't that apply in this case? If you agree, then web browsers would be considered 1st parties and are largely out of scope for the TPWG specification.
>
> - Shane
>
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org<mailto:rigo@w3.org>]
> Sent: Friday, June 08, 2012 12:52 PM
> To: public-tracking@w3.org<mailto:public-tracking@w3.org>
> Cc: David Singer; Tom Lowenthal; TOUBIANA, VINCENT (VINCENT)
> Subject: Re: Considering browser vendor as a third party
>
> On Thursday 07 June 2012 14:44:37 David Singer wrote:
>> I don't think that's the question. What is the status of the
>> browser *vendor*'s online site?
> Vincent raised an important question: What happens if the browser
> phones home. I hear all saying this is out of scope and will be
> determined by the applicable jurisdiction. Fine. But it was very
> important to raise that question IMHO.
>
> Rigo
>
>

Received on Sunday, 10 June 2012 22:08:55 UTC