- From: Justin Brookman <jbrookman@cdt.org>
- Date: Wed, 11 Jun 2014 11:46:37 -0400
- To: Vinay Goel <vigoel@adobe.com>
- Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
On Jun 11, 2014, at 11:39 AM, Vinay Goel <vigoel@adobe.com> wrote: > Hi Justin, > > Ah, got it. Roy will correct me if I’m wrong, but I believe using Roy’s > proposed definition, the service provider would take on the same party as > what shoes.com is when shoes.com interacts/serves an ad on news.com. The > fact that the service provider is a service provider to both shoes.com and > news.com is irrelevant. It’s because the service provider can only > retain, access and use the data as directed by the contractee (per > subclause (2) in Roy’s definition). So, it can’t use Shoes.com data for > News.com unless directed by Shoes.com. It’s not News.com data, so the > service provider will have to look to Shoes.com for direction. > > I know there’s another debate on whether Shoes.com is allowed to engage in > this activity when DNT:1 is set; but that’s separate from the service > provider issue. > > That help clarify it? Yes, that's the way I understand it too. The fact that Shoes can use a service provider to serve targeted ads on News may be surprising to users, and perhaps provides an argument for limiting the use of first party data use in other contexts, but I don't think we need to address that issue here --- we can adopt Roy's definition by acclimation, and figure out how to address the context issue in 219. > > -Vinay > > On 6/11/14, 11:28 AM, "Justin Brookman" <jbrookman@cdt.org> wrote: > >> >> >> On Jun 11, 2014, at 11:23 AM, Vinay Goel <vigoel@adobe.com> wrote: >> >>> Hi Mike, >>> >>> Can¹t a clause like that turn a service provider into a Œdata >>> controller¹ >>> by taking actions or making decisions about the data? I¹d rather we not >>> add clauses in to the definition of service provider that requires the >>> service provider to make decisions on the use of customer¹s data. It >>> also >>> conflicts with '(2) ensures that the data is only retained, accessed, >>> and >>> used as directed by the contractee¹. >>> >>> Justin - in your example, are all of those sites, including News.com, >>> all >>> part of the same publisher/first-party? If not, what Roy is saying >>> below >>> is that News.com would be engaged in tracking if it collected data on >>> Shoes.com to serve an interest-based ad on News.com. >> >> No, in my example, they're all different companies. But could *Shoes.com* >> collect data about the user on Shoes.com, use ADNET as a service >> provider, and then use ADNET to show a Shoes ad on News.com? That >> is, it's not whether News.com is engaged in tracking --- they only use >> ADNET to show ads on their site, not to collect data. But if ADNET can >> use data on Shoes.com's behalf . . . >> >> I'm not saying this is a bad result, just trying to make sure I understand >> what can happen. >> >>> >>> >>> -Vinay >>> >>> On 6/11/14, 11:11 AM, "Mike O'Neill" <michael.oneill@baycloud.com> >>> wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Roy, >>>> >>>> Thinking about Justin's concern, would you accept a friendly amendment >>>> to >>>> your service provider definition making it clear that data should not >>>> be >>>> shared outside the context in which it occurred (i.e. our definition of >>>> tracking), i.e. even if it is only acting at the behest of its >>>> contractee. >>>> >>>> >>>> (5) ensures that data about a user's activity collected in a context >>>> when >>>> DNT is set will not be shared with parties in other contexts. >>>> >>>> >>>> >>>> mike >>>> >>>>> -----Original Message----- >>>>> From: Justin Brookman [mailto:jbrookman@cdt.org] >>>>> Sent: 11 June 2014 15:32 >>>>> To: Roy T. Fielding >>>>> Cc: W3C DNT Working Group Mailing List >>>>> Subject: Re: [ISSUE-206] Service Provider (and related ISSUE-219 >>>>> question) >>>>> >>>>> >>>>> >>>>> On Jun 6, 2014, at 2:42 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >>>>> >>>>>> On Jun 5, 2014, at 11:59 AM, Justin Brookman wrote: >>>>>> >>>>>>> That is Ad X could collect and store data on behalf of Sites 1-300, >>>>> and then >>>>> serve targeted ads based on any one of those 300 silos when a user >>>>> visits Sites >>>>> 301? As long as the contracts allow this and prohibit use of blended >>>>> data across >>>>> silos? >>>>>> >>>>>> I don't understand how "serve targeted ads based on" some other site >>>>> would >>>>>> be allowed unless both sites are owned by the same first party. >>>>>> Otherwise, that is tracking: "use of data derived from that activity >>>>> outside >>>>>> the context in which it occurred". Note that the definition of >>>>> tracking >>>>>> doesn't care whether the tracker is a service provider; it only cares >>>>>> about the context in which that data was collected. >>>>>> >>>>>> ....Roy >>>>>> >>>>> >>>>> It's used outside the context the data was collected, but it's not >>>>> necessary cross- >>>>> site tracking data if it's just held on behalf of a publisher, right? >>>>> So if ADNET is a >>>>> service provider to Shoes.com, Diapers.com, Hats.com, Social.com, and >>>>> dozens >>>>> of other publishers, it can collect target ads on News.com based on >>>>> any >>>>> one of >>>>> those silos (say a retargeted ad for a shoe that the user looked at, >>>>> or >>>>> something >>>>> based on the user's activity on Social.com). Assuming that we adopt >>>>> your >>>>> definition of service provider and resolve ISSUE-219 to allow first >>>>> party data to >>>>> be used in other contexts. >>>>> >>>>> Or am I misinterpreting the service provider language? >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.13 (MingW32) >>>> Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ >>>> Charset: utf-8 >>>> >>>> iQEcBAEBAgAGBQJTmHGxAAoJEHMxUy4uXm2JFTMH/2NzXijICkyoiAvFy53TqY9s >>>> 6S4sVmC3tQtyxKn4Xd7kC0rPnUW1PhNtArwMMJvADPhg+2/XlXoIAMr3JOgaN6Py >>>> kDUTBOrWLbnTqaYMh48ZSH8o/N4dnoh+UK1l51ckCALnH8Q4GKeuBXIx3Rszcjm/ >>>> KVjaXiJaS/o8PWqE+0SoikZxpkMPGGsVGi9VXzhcI/rKOdBJl/SrWdXQB7Dc4eif >>>> rCAqWvSZuqw/QRe3obgEKG0fw88UVaqAZqcDP5wJ42GUQ4FvmH0PNB/wSYZJLA8k >>>> EugPIAo4aY5HnrJAZnpKynqcWQLH/MmFVa9m38D1jvvtQqe2wnl9XEo78NEtbwo= >>>> =QhkD >>>> -----END PGP SIGNATURE----- >>>> >>>> >>> >> >> >
Received on Wednesday, 11 June 2014 15:47:13 UTC