Re: ISSUE-219 (context separation) from John M. Simpson on 2014-06-24 (public-tracking@w3.org from June 2014)

From: John M. Simpson <john@consumerwatchdog.org>
Date: Tue, 24 Jun 2014 16:19:37 -0400
To: Shane M Wiley <wileys@yahoo-inc.com>
Cc: Justin Brookman <jbrookman@cdt.org>, Alan Chapell <achapell@chapellassociates.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <F04F3DDC-A932-49EC-8545-004CF6582DA6@consumerwatchdog.org>

We're trying to find language that clearly prevents that, though you may disagree with the position when it goes to formal objection...

Sent from my iPhone
John M. Simpson
Privacy Project Director
Consumer Watchdog

> On Jun 24, 2014, at 4:10 PM, Shane M Wiley <wileys@yahoo-inc.com> wrote:
> 
> Wouldn’t many first parties be able to argue they have user consent (implied or explicit) to do this thus trumping this provision?  If yes, then perhaps this isn’t an issue as 1st parties will still be able to use data collected in the 1st party context in a 3rd party context (use only; all collection is still covered by DNT).
>  
> - Shane
>  
> From: Justin Brookman [mailto:jbrookman@cdt.org] 
> Sent: Tuesday, June 24, 2014 1:05 PM
> To: Alan Chapell
> Cc: public-tracking@w3.org
> Subject: Re: ISSUE-219 (context separation)
>  
> I think Walter's language is trying to accomplish what you want.  When he says "the third party must not use data gathered in another context," I think "another context" logically includes all first-party when that party was previously a first party.
>  
> Would you prefer to say:
>  
> "the third party must not use data gathered in another context, including when it was a first party . . ."?  Or something like that?
>  
> You had previously proposed: "Use of this data outside the first party context is tracking and subject to third party rules for tracking, as outlined in Section 5." but I can't tell from the wiki where that sentence was supposed to go.
>  
> Since I'm fairly sure you all are trying to accomplish the same thing, I really hope we can merge these options.
>  
> On Jun 24, 2014, at 3:52 PM, Alan Chapell <achapell@chapellassociates.com> wrote:
> 
> 
> Hi Walter -
> 
> This language doesn't seem to address a first party acting in a third
> party context. Was that by design?
> 
> I strongly support re-inserting the language around first parties not
> being able to use data outside the Context in which it was collected.
> 
> Alan
> 
> 
> 
> 
> 
> On 6/24/14 3:29 PM, "Walter van Holst" <walter.van.holst@xs4all.nl> wrote:
> 
> 
> On 24/06/2014 17:57, Ninja Marnau wrote:
> 
> Hi John, hi Mike,
> 
> we wil probably start a Call for objections on the topic of context
> separation this wee. Could you take a look at Walter's proposal to see
> whether it does reflect your text for data append and first parties: "A
> Party MUST NOT use data gathered while a 1st Party when operating as a
> 3rd Party.²
> 
> Here is the link to Walter's text:
> 
> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Limitations_on_use_i
> n_Third_Party_Context#Proposal_2:_Prohibit_use_of_data_collected_as_any_t
> ype_of_party
> 
> 
> Mike, John and I have had a fruitful discussion, which resulted in a
> more precise wording of what I wanted to achieve and I have updated the
> text accordingly to:
> 
> "... the third party MUST NOT use data gathered in another context about
> the user, other than with their explicit consent or for permitted uses
> as defined within this recommendation."
> 
> I feel this is a make-or-break issue for the compliance specification
> which on top of the privacy issue also has competition implications. A
> strong separation between 1st and 3rd party roles is a must for this
> compliance specification to be credible.
> 
> Regards,
> 
> Walter
> 
> 
> 
> 
> 
> 
>

Received on Tuesday, 24 June 2014 20:20:21 UTC