W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Summary of First Party vs. Third Party Tests

From: John Simpson <john@consumerwatchdog.org>
Date: Fri, 4 Nov 2011 14:06:03 -0700
Message-Id: <08F38F43-263C-4AB0-B8BF-9559F436E689@consumerwatchdog.org>
Cc: Shane Wiley <wileys@yahoo-inc.com>, David Wainberg <dwainberg@appnexus.com>, Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>, Jonathan Mayer <jmayer@stanford.edu>
To: Amy Colando (LCA) <acolando@microsoft.com>
Agree we need a clear definition of First Party. Owner of the site that I am visiting starts to get there, but is not enough. User expectations must be a factor as well.  Use example:  I go to CNET.com, there is no way that I as a user would expect CBS.com is a First Party site based on my interaction with CNET.

Some good actors adopting best practices might wish to go beyond a minimum DNT response and actually not offer a customized page without asking the user to opt in to it if DNT were enabled.


On Nov 3, 2011, at 2:57 PM, Amy Colando (LCA) wrote:

> I agree with Shane and think a clear 1st party definition (e.g., the owner of the site that I am visiting) will align with consumer expectations and support deployment by sites.  If DNT overrides basic customizing functionality of sites (such as customized Amazon page, or seeing my local news on a national news page), then I am concerned that fewer sites will want to deploy DNT and more users will end up switching DNT off.
> -----Original Message-----
> From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
> Sent: Thursday, November 03, 2011 1:07 PM
> To: David Wainberg; Rigo Wenning
> Cc: public-tracking@w3.org; Jonathan Mayer
> Subject: RE: Summary of First Party vs. Third Party Tests
> I believe 1st and 3rd party distinctions are critical to the conversation and a wholesale application of DNT - even to the site the user is expecting to visit - doesn't make sense.  As Aleecia's research has expressed, users do generally understand the difference and I believe our work should reflect that.  If we move to "explicit vs. implied" it seems like we're right back in the same place and are simply shifting terminology but the substance of the discussion is the same - which is "where is the DNT signal expected to be respected?".
> - Shane
> -----Original Message-----
> From: David Wainberg [mailto:dwainberg@appnexus.com]
> Sent: Thursday, November 03, 2011 12:58 PM
> To: Rigo Wenning
> Cc: public-tracking@w3.org; Jonathan Mayer
> Subject: Re: Summary of First Party vs. Third Party Tests
> I agree with Rigo that the 1st vs 3rd party approach is too complex. We can get effectively the same result, but in a cleaner and more scalable way if we have a baseline application of DNT to all parties, and then provide exceptions based on consent. We'll still need to have the debate about what constitutes consent (explicit and implied), but the result will be a broadly applicable rule (or set of rules). That would be more useful than trying to cook up a 1st vs 3rd party distinction that's workable in this diverse ecosystem.
> On 11/1/11 6:10 PM, Rigo Wenning wrote:
>> Add one minority opinion that says that the distinction between first 
>> and third parties is too complex. This mixes technical and legal 
>> consideration into an indigestible brewing. It will make 
>> implementation on the service side too complex. It will create risk and ambiguity.
>> I would rather tone down the compliance requirements for all and not 
>> distinguish between first and third parties to avoid the difficult 
>> distinctions. (I can generate a number of challenging distinctions on 
>> demand)
>> I also believe that this will create a race into being a first party 
>> and that every ambiguity will be used to become a first party. At the 
>> end of the day, everybody will be a first party by contract or other virtue.
>> Best,
>> Rigo
>> On Friday 28 October 2011 22:11:24 Jonathan Mayer wrote:
>>> (ACTION-25)
>>> As I understand it, there are four camps on how to distinguish 
>>> between first parties and third parties.
>>> 1) Domain names (e.g. public suffix + 1).
>>> 2) Legal business relationships (e.g. corporate ownership + affiliates).
>>> 3) Branding.
>>> 4) User expectations.
>>> Here are some examples that show the boundaries of these definitions.
>>> Example: The user visits Example Website at example.com.  Example 
>>> Website embeds content from examplestatic.com, a domain controlled by 
>>> Example Website and used to host static content.
>>> Discussion: Content from the examplestatic.com domain is first-party 
>>> under every test save the first.
>>> Example: Example Website (example.com) strikes a deal with Example 
>>> Affiliate (affiliate.com), an otherwise unrelated company, to share 
>>> user data.  The user visits Example Website, and it embeds content from Example Affiliate.
>>> Discussion: Content from Example Affiliate is third-party under every 
>>> test save the second.
>>> Example: Example Website embeds a widget from Example Social Aggregator.
>>> The widget includes a prominent logo for Example Social Aggregator, 
>>> though a user is unlikely to recognize it.
>>> Discussion: Content from Example Social Aggregator is third-party 
>>> under every test save the third.

John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
Received on Friday, 4 November 2011 21:06:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:42 UTC