W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Summary of First Party vs. Third Party Tests

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 02 Nov 2011 09:05:05 -0700
To: John Simpson <john@consumerwatchdog.org>
Cc: public-tracking@w3.org, Jonathan Mayer <jmayer@stanford.edu>
Message-ID: <2427420.3nGzoVeuEh@longtarin>
John, 

in a hallway conversation, Matthias expressed the idea that higher data 
minimization would allow for a more relaxed view on the silo or sharing things 
etc. Another things is that we could try to define retention limitations 
before aggregation and relax the rule on what a third party is. Creativity is 
needed. 

Best, 

Rigo

On Tuesday 01 November 2011 15:37:18 John Simpson wrote:
> Rigo,
> 
> Can you please give us some examples of what the toned compliance
> requirements for all would be? I too worry that with a first party third
> party distinction there is a real danger that everyone will be a first
> party very quickly.
> 
> However, cutting back on the compliance  requirements, it seems to me, runs
> the very real risk of making DNT essentially meaningless.
> 
> Thanks,
> John
> 
> On Nov 1, 2011, at 3:10 PM, Rigo Wenning wrote:
> > Add one minority opinion that says that the distinction between first
> > and
> > third parties is too complex. This mixes technical and legal
> > consideration into an indigestible brewing. It will make implementation
> > on the service side too complex. It will create risk and ambiguity.
> > 
> > I would rather tone down the compliance requirements for all and not
> > distinguish between first and third parties to avoid the difficult
> > distinctions. (I can generate a number of challenging distinctions on
> > demand)
> > 
> > I also believe that this will create a race into being a first party and
> > that every ambiguity will be used to become a first party. At the end
> > of the day, everybody will be a first party by contract or other
> > virtue.
> > 
> > Best,
> > 
> > Rigo
> > 
> > On Friday 28 October 2011 22:11:24 Jonathan Mayer wrote:
> >> (ACTION-25)
> >> 
> >> As I understand it, there are four camps on how to distinguish between
> >> first parties and third parties.
> >> 
> >> 1) Domain names (e.g. public suffix + 1).
> >> 
> >> 2) Legal business relationships (e.g. corporate ownership +
> >> affiliates).
> >> 
> >> 3) Branding.
> >> 
> >> 4) User expectations.
> >> 
> >> Here are some examples that show the boundaries of these definitions.
> >> 
> >> Example: The user visits Example Website at example.com.  Example
> >> Website embeds content from examplestatic.com, a domain controlled by
> >> Example Website and used to host static content.
> >> 
> >> Discussion: Content from the examplestatic.com domain is first-party
> >> under every test save the first.
> >> 
> >> Example: Example Website (example.com) strikes a deal with Example
> >> Affiliate (affiliate.com), an otherwise unrelated company, to share
> >> user data.  The user visits Example Website, and it embeds content
> >> from Example Affiliate.
> >> 
> >> Discussion: Content from Example Affiliate is third-party under every
> >> test save the second.
> >> 
> >> Example: Example Website embeds a widget from Example Social
> >> Aggregator.
> >> The widget includes a prominent logo for Example Social Aggregator,
> >> though a user is unlikely to recognize it.
> >> 
> >> Discussion: Content from Example Social Aggregator is third-party
> >> under
> >> every test save the third.
> 
> ----------
> John M. Simpson
> Consumer Advocate
> Consumer Watchdog
> 1750 Ocean Park Blvd. ,Suite 200
> Santa Monica, CA,90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org
Received on Wednesday, 2 November 2011 16:05:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC