Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluating common third party embeds/references #8

Open
konklone opened this issue Jul 16, 2015 · 2 comments
Open

Evaluating common third party embeds/references #8

konklone opened this issue Jul 16, 2015 · 2 comments

Comments

@konklone
Copy link

The DNT policy says this about use of third parties:

3. OTHER DOMAINS: 

  a. If this domain transfers identifiable user data about DNT Users to
     contractors, affiliates or other parties, or embeds from or posts data to
     other domains, we will either:         

  b. ensure that the operators of those domains abide by this policy overall
     by posting it at /.well-known/dnt-policy.txt via HTTPS on the domains in
     question,

    OR

     ensure that the recipient's policies and practices require the recipient
     to respect the policy for our DNT Users' data.

    OR  

     obtain a contractual commitment from the recipient to respect this policy
     for our DNT Users' data.

    NOTE: if an “Other Domain” does not receive identifiable user information
    from the domain because such information has been removed, because the
    Other Domain does not log that information, or for some other reason, these
    requirements do not apply.

I'm considering how a site like 18f.gsa.gov, which uses one third party on every page (Google Analytics), and some third parties on individual blog posts (YouTube, Twitter, Storify, etc.), should view this part of the policy.

It's not totally clear to me how to evaluate the impact of embedding a tweet. By exposing our users' user agents and IP addresses to Twitter.com and Storify.com, do we need to verify that they are compliant with this DNT policy (or strike up a contract?) in order for our website to be considered compliant?
@pde
Copy link
Contributor

pde commented Jul 31, 2015

This is definitely going to be important post-launch work. We should also evaluate hosting platforms and CDNs to ensure that they are DNT compatible, and whether they are DNT compatible by default.

@josephlhall
Copy link

Heya, @konklone and @pde... this is definitely one of the first questions we asked ourselves here at CDT looking at the 1.0 policy: is their a rubric or list of common embeds as to their compliance? I think we have essentially the same set of small embeds that @konklone lists: GA on each page (with IP "anonymization") and then twitter and youtube embeds on some tiny fraction of pages served (embedded by perhaps non-technical/non-legal staff).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@konklone @pde @josephlhall