W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: User intended interactions [1st & 3rd Parties]

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 11 Nov 2011 23:12:13 +0100
To: Tom Lowenthal <tom@mozilla.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <upvqb758eb9j6p6d5liucsce4urks5ibvi@hive.bjoern.hoehrmann.de>
* Tom Lowenthal wrote:
>An entity becomes a first party when a user takes an affirmative action
>to communicate or interact with that clearly identifiable entity. Unless
>the user has taken such affirmative action, an entity is a third party.
>The following examples indicate interactions which do and do not meet
>this criteria.

If the first/third party distinction is supposed to be a vehicle to ex-
plain what the user means when they say they do not wish their online
activity to be tracked across web sites, then this seems to be missing
the point a bit. I am not sure how the distinction is useful if it does
not affect what kind of data collection and retention is okay.

>7. The user visits a site. There is a weather widget with no obvious
>branding. The user thinks that the widget is operated by and part of the
>site that they are visiting, because of the lack of obvious branding.
>The user clicks on the widget to scroll forward and see tomorrow's
>weather. The widget is at all times a third party.
>8. The user visits a site with a clearly-branded Accuweather.com weather
>widget. The user recognizes the branding, and clicks on the widget to
>get more weather information. Accuweather.com is a first party to that
>interaction.

This for instance amounts to saying the user is okay with having their
online activity tracked across web sites if you make the logo very big.

If you have a weather widget that's used on every other web site, and
on load it renders the current weather, and you have to click to show
a forecast, and a user does that on many sites while also sending the
do not track signal, and the weather widget provider builds a profile
about which web sites the user visits, it's clearly tracking the user
contrary to the user's wishes, however much branding there might be.

If clicking the forecast link would navigate the top level window to
the weather widget provider's site, then it might be plausible to argue
building such a profile from actual visits to the weather site is not
the kind of tracking the user is objecting to; but if the user always
stays on the embedding site, then asking for a forecast every once in a
while does not indicate they don't mean it when they say "do not track".

>10. A user sees a tweet which says "Check out this awesome NYT article
>bit.ly/1234". The user clicks the link, expecting to be redirected by
>bitly to the New York Times. Twitter, bitly and the New York Times are
>all first parties to this interaction.

If you tell bit.ly you do not want to be tracked, and they install a
userid cookie on your computer and record all the bit.ly links you
click, where you clicked them and where they took you, then they are
not tracking you across sites because they are a first party? That
does not make sense to me.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 11 November 2011 22:12:50 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC