RE: Third parties should not pretend to be first parties

Geoff.  I am sorry.  I am feeling dense today, but I am still not quite sure I understand.  I am fine with using Adobe as an example as we do have products that will expect to use the service provide exemption, such as SiteCatalyst.  It sounds like you are concerned with mixing 1st party data collected by other Adobe products, with 3rd party data collected as a service provider, and stitching them together into a single profile.  Is this right?  If so, you are right - that is not functionality that I think should be permissible (or is permissible according to current doc language).  If I am way off, please step through the exact use case.

From: Geoff Gieron - AdTruth [mailto:ggieron@adtruth.com]
Sent: Thursday, March 01, 2012 1:59 PM
To: Kevin Smith; Justin Brookman; public-tracking@w3.org
Subject: Re: Third parties should not pretend to be first parties

Absolutely Kevin - and please know this is nothing specific to Adobe, but I was using your company as an example.  In this case - while Adobe has need to monitor data for products - you have other business units like Omniture and Efficient frontier that are that have needs for tracking beyond that of product monitoring that could find a way to use that allowance to benefit those additional lines of service.  Another example would be Google - using Gmail log in to allow for the benefit of tracking with DoubleClick and other services where they leverage this login to a mail service to help establish profiles for tracking.  In no way am I claiming Adobe is or would be planning anything malicious - but there seems to be a tendency to allow for exceptions that some people will find to be opportunity to benefit their organization in a way that would exploit these intended allowances.  Make sense?

I believe if the value of what you are looking for - but we have to anticipate that even provisions with the best of intentions could lead to being misused - and hope we as a group can identify any possible verbiage to help allow your need and prevent the aforementioned misuse.  Please let me know if I need explain further or perhaps there is not a way to prevent this from happening and we have to all hope we will equally respect the working group's outlined provisions in the most honest and truthful way we can.

Geoff Gieron
Business Development Strategist

[cid:image001.png@01CCF7CA.CBF139A0]

O:   +1.480.776.5525
M:  +1.602.418.8094
ggieron@adtruth.com<mailto:ggieron@adtruth.com>
www.adtruth.com<http://www.adtruth.com>


From: Kevin Smith <kevsmith@adobe.com<mailto:kevsmith@adobe.com>>
Date: Thu, 1 Mar 2012 12:15:02 -0800
To: Geoff Gieron <ggieron@adtruth.com<mailto:ggieron@adtruth.com>>, Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: Third parties should not pretend to be first parties

I am not entirely sure I understand exactly what you mean by "continue to track and monitor users for purposes of other products offered to clients".  If you can you enumerate your concerns, I will give it my best shot.
From: Geoff Gieron - AdTruth [mailto:ggieron@adtruth.com]
Sent: Thursday, March 01, 2012 12:54 PM
To: Kevin Smith; Justin Brookman; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Third parties should not pretend to be first parties

Kevin - do you have a recommendation in terms of working that will allow for this clearly necessary use without opening the door just enough to allow for companies with other interests - including Adobe - to use product improvement data to continue to track and monitor users for purposes of other products offered to clients.  I can't see any reason we should cut off the ability for product improvement data to be gathered and used, but need something to ensure this does not give other companies with this use case any chance of exploiting it for nefarious reasons.  I think we would all like to prevent the intentional side stepping of browser settings done by Vibrant, Google, Pointroll and others as noted in Jonathan's recent research in terms of bypassing Safari browser privacy settings.

Geoff Gieron
Business Development Strategist

[cid:image001.png@01CCF7CA.CBF139A0]

O:   +1.480.776.5525
M:  +1.602.418.8094
ggieron@adtruth.com<mailto:ggieron@adtruth.com>
www.adtruth.com<http://www.adtruth.com>


From: Kevin Smith <kevsmith@adobe.com<mailto:kevsmith@adobe.com>>
Date: Thu, 1 Mar 2012 11:43:46 -0800
To: Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: RE: Third parties should not pretend to be first parties
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Thu, 1 Mar 2012 19:44:34 +0000

I am not sure where the group stands on the part about not using data for product improvement purposes, but I consider this to be a complete deal killer.  It is impossible to create, debug, maintain, and improve an enterprise level service without seeing how actual data moves through the system.

From: Justin Brookman [mailto:justin@cdt.org]
Sent: Thursday, March 01, 2012 12:28 PM
To: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Third parties should not pretend to be first parties

I did not write this particular section, so I cannot speak to drafting intent.  I believe that the language was drafted very narrowly specifically to apply only to those situations where it makes sense to consider the service provider as essentially an extension of the first party.  Otherwise, the vendor should logically be treated as a third party.  Note however, that third parties still have the potential to do many of the things you express concern about --- those operational use cases for third parties are all provided for in 4.4.1.  The parameters of both exceptions (outsourcing and operational use) are still very much in play (as is the exception for unidentifiable data), and I hope the group will focus closely on these issues after the release of the Second Public Working Draft next week.




Justin Brookman

Director, Consumer Privacy

Center for Democracy & Technology

1634 I Street NW, Suite 1100

Washington, DC 20006

tel 202.407.8812

fax 202.637.0969

justin@cdt.org<mailto:justin@cdt.org>

http://www.cdt.org

@CenDemTech

@JustinBrookman

On 3/1/2012 1:21 PM, Vinay Goel wrote:
Hi Justin,

I have a few concerns over the exception for outsourcing as I don't think it fairly captures the service provider relationship.  I'm new to the working group, so I want to make sure I understand the drafting intent.

In particular, my concerns over the definition are:
        - Sub-clause (2) states that the company providing outsourced services has absolutely no independent right to use the data for its own purposes. This includes using the data for product improvement purposes.  A service provider does not use the data for its own customization or profiling purposes; but the service provider needs to understand how the data is flowing and how consumers (users) and customers (websites) areusing our services.  At a minimum, we need to use the data to ensure the products are working properly (and honoring DNT).  But also, if the service provider is not allowed to use the information toimprove its products and services, there is little motivation for our customers to agree to honor DNT.  They want more features; not less.  And, if we are limited in the features we offer our customers (websites), the websites have less motivation to honor DNT.
        - Sub-clause (2) also states that these service providers cannot provide to the industry highly aggregated industry reports that show usage and web trends.  Preventing service providers from doing this isdetrimental to our customers (helping dissuade DNT adoption) and to us. For example, aggregated industry reports on consumer DNT adoption rates by browser/market could be useful in helping understand consumer understanding of DNT and if it is more understood based on a particular browser's implementation.  This definition would prevent these reports from being generated.  I understand that aggregate industry reports are being discussed elsewhere in the document.  Can you help clarify how this relates to those other sections?
        - Sub-clause (3) suggests that the outsourcing provider is required to delete the data once the legal enforceability of our contracts end.  While I agree with the principal of data minimization, I don't think we should tie retention dates to contract expiration dates.  As stated further in the document, there are a few reasons (financial, auditing, legal, fraud) the outsourcing provider may retain data past legal enforceability of the contract.  I understand the intent of this section, but I would suggest we would bebetter off setting limits on how the 3rd party can use (and cannot use) the data instead of forcing deletion.
        - The 'Note' within the non-normative section states that any data collected by the service provider that 'may be used' is subject to the requirements for third parties.  That 'may be used' portion of the sentence seems to counter (4) where it states that so long as the 3rd party has reasonable technical precautions to prevent the co-mingling.  In particular, the 'may be used' portion suggests that even the 3rd party has reasonable technical precautions, if there is at all any chance the data can be co-mingled, its a 3rd party and not a service provider.

Can you help me understand the reasoning behind the language as currently proposed?  I fear that it would actually prevent DNT adoption and set unrealistic (or unachievable requirements as it relates to co-mingling) upon companiestrying to act on behalf of the 1st party.

-Vinay
________________________________
Vinay Goel | Privacy Product Manager | Adobe Systems | Office: 917.934.0867
From: Justin Brookman <jbrookman@cdt.org<mailto:jbrookman@cdt.org>>
Date: Wed, 29 Feb 2012 19:53:51 -0800
To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Third parties should not pretend to be first parties

There is already an entire section of the compliance spec on this exact issue --- 4.4.2 Exception for Outsourcing.  Is there any reason that exception does not address everyone's concerns, rather than resorting to the fiction that service providers are the same entity as the first party (despite an earlier definition of party that says otherwise)?

If the current exception for outsourcing is not sufficient, I would suggest just revising that to address the problem instead of torturing the definition of "party."
________________________________
From: Joanne Furtsch [mailto:jfurtsch@truste.com]
To: Shane Wiley [mailto:wileys@yahoo-inc.com], Roy T. Fielding [mailto:fielding@gbiv.com], Jonathan Mayer [mailto:jmayer@stanford.edu]
Cc: Tom Lowenthal [mailto:tom@mozilla.com], public-tracking@w3.org<mailto:public-tracking@w3.org> [mailto:public-tracking@w3.org]
Sent: Wed, 29 Feb 2012 22:24:07 -0500
Subject: Re: Third parties should not pretend to be first parties

Agree Service Provider should be defined since they would show up as a
third party but are acting on behalf of a first party in essence making
them a first party. It is a special category of third party. Here is a
proposed Service Provider definition as a starting point.

"Service Provider" is anyone other than the First Party that performs, or
assists in the performance of a function or activity that may involve the
collection, use, and disclosure of data. Such use must only be on behalf
and at the instruction of the First Party, and only for the purpose of
performing or assisting in that specific function or activity as agreed to
by the First Party.


On 2/29/12 6:41 PM, "Shane Wiley" <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:

>I agree with both sides and suggest we set forth the definition of a
>Service Provider as a separate and distinct, "special" kind of 3rd party
>that is able to be treated as a 1st party if the appropriate conditions
>are met (contractual relationship, data segregation, etc.). This will
>meet the reality of online business operations today AND provide a
>construct such that Service Providers are not confused in language
>directed at actual 3rd parties. Fair?
>
>1st Party
>3rd Party
>Service Provider (3rd Party acting as a 1st Party)
>Widget (1st Party on 3rd Party sites)
>
>- Shane
>
>-----Original Message-----
>From: Roy T. Fielding [mailto:fielding@gbiv.com<mailto:fielding@gbiv.com>]
>Sent: Wednesday, February 29, 2012 7:29 PM
>To: Jonathan Mayer
>Cc: Tom Lowenthal; public-tracking@w3.org<mailto:public-tracking@w3.org>
>Subject: Re: Third parties should not pretend to be first parties
>
>On Feb 29, 2012, at 6:00 PM, Jonathan Mayer wrote:
>
>> The provisions on outsourcing are not "overly simplistic" in the
>>slightest. The group worked through them at Santa Clara, on the list,
>>and on multiple calls. We've talking through myriad hypotheticals,
>>including service providers like a cloud computing platform.
>>
>> Unless you have a new use case, I think this is all long since closed.
>
>Those sections are marked as PENDING REVIEW in the document, and the
>particular issue we are talking about now (ISSUE-123) is still OPEN.
>
>Since neither of you are on the hook to implement this, I suggest
>you pay attention to my concerns: I object to this wording if it
>includes third parties acting as a first party. A third-party acting
>as a first-party may present itself as the first-party because it is
>already constrained by the section defining "acting as a first-party".
>
>....Roy
>
>
>

________________________________
Confidentiality Notice: The contents of this e-mail (including any attachments) may be confidential to the intended recipient, and may contain information that is privileged and/or exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and destroy the original e-mail and any attachments (and any copies that may have been made) from your system or otherwise. Any unauthorized use, copying, disclosure or distribution of this information is strictly prohibited. <ACL>
The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.
The information contained in this e-mail is confidential and/or proprietary of AdTruth. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from your system.

Received on Thursday, 1 March 2012 23:47:25 UTC