- From: Lukasz Olejnik <lkasz.olejnik@gmail.com>
- Date: Mon, 28 Sep 2015 20:19:06 +0100
- To: public-privacy@w3.org
- Message-ID: <CAC1M5qrQw6B=jcfqzu5YDf38bWdTAqhMj3CKRjWU8-7DRC9o_Q@mail.gmail.com>
Dear all, First of all, this is my first post here so greetings fellow PINGers! I hope to contribute to PING's works here and there. I would like to address the recent contribution request ( https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0138.html). I wanted to highlight some, perhaps minuscule (perhaps not) things in relation to the Tracking Compliance [3] ( http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/#transitive-exceptions) that might deserve a bit of scrutiny. First of all, this is a good job. Let's hope deployment & actual enforcement will follow later on. Now my comments are directed solely at point 4 of this draft, the consent. Specifically, 4.1 - about transitive consent for data sharing. It is naturally a usability feature that has practical means and needs, i.e. to transfer the consent to the service providers. I will follow the draft text and use here the example of ads providers as well. First issue is whether it won't allow the, well, let's poetically call it "consent laundering"? Scenario: 1. User has no previous knowledge of the existence of parties, say, A1, ...., A100. 2. User grants consent (for sharing data) to B. 3. A1, ..., A100 do not wish to ask for consent, for whatever reason. So they use the service of B to transitively acquire it. So perhaps an example party, say A37, could even inject scripts of B, who then would inject scripts of A37...? Since B can transfer consent, consent is granted to A37. In a manner similar to cookie matching (e.g. using HTTP redirects, as in https://developers.google.com/ad-exchange/rtb/cookie-guide). I acknowledge the latter MUST clause, where I do not see any suggestions of enforcement. So this is a privacy case with possibly non-obvious implications where consent is being transferred to other party, as a matter of service. Another comment may touch the "inhibiting adoption" issue. Whether enough flexibility in terms of consent is provided - provided there is a justified need, that is. In this case let's discuss a situation when, say, the user visits site A, a consent (for sharing data) is given to other party B (level 1), and then B (later on) transitively provides this to other parties (level 2; C, D, ...), of which the user may not be aware of. So the thing here is: to how many parties the consent is being granted in this mode? Also, how many levels of consent should be allowed? Should there be any concept of levels at all? But further, let's assume a site A is including scripts of B (with consent for sharing data), who is an Ad Exchange, running a Real-Time Bidding platform (https://developers.google.com/ad-exchange/rtb/). Then let's assume this platform has 100 bidders - all of them receive data about the user during the RTB protocol. Furthermore, let's say a bidder C wins and is able to deliver an ad. Does C, who may possibly maintain its own tracking infrastructure posses the consent due to the transitivity? Even more specifically, what happens if C is also an Ad Exchange and runs another round, and has also a number of bidders and in the end some other party D wins and delivers the end-content. So the original consent might possibly be granted to B, going through C and reaching D? In this case, I think 4.1 is written quite well in terms of generality, but are we sure about the levels of transitivity? Now to sum it up, consent is obviously required. This is a core principle of privacy. But should there be any limits to transitivity? Or perhaps the points I highlighted might be addressed somehow? Best regards Lukasz Olejnik
Received on Wednesday, 30 September 2015 13:29:30 UTC