Re: User intended interactions [1st & 3rd Parties] from David Wainberg on 2011-11-15 (public-tracking@w3.org from November 2011)

From: David Wainberg <dwainberg@appnexus.com>
Date: Tue, 15 Nov 2011 13:49:06 -0500
To: Tom Lowenthal <tom@mozilla.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <4EC2B422.2080301@appnexus.com>
On 11/8/11 8:11 PM, Tom Lowenthal wrote:
> ACTION-27 ISSUE-10
>     ---
>
> An entity becomes a first party when a user takes an affirmative action
> to communicate or interact with that clearly identifiable entity. Unless
> the user has taken such affirmative action, an entity is a third party.
> The following examples indicate interactions which do and do not meet
> this criteria.
Two issues. First, what is a "clearly identifiable entity?" Do you mean 
distinguishable from other entities, or an identifiable company or 
brand? I don't know how we will build a workable test around this either 
way, and it will leave a great deal of uncertainty for entities trying 
to comply. "You know it when you see it" tests won't work here.

Second, a user should not necessarily have to take an affirmative action 
to communicate or interact with a party to give that party consent to 
collect data. (Maybe this is a distinct issue from identifying a 1st 
parties, but ...) There are cases where users arguably would not have an 
expectation that a first party under this definition would collect data. 
And there cases where a user might expect collection by an entity that 
is a third party under this definition.

As an example, Aleecia raised the first point with regard to a widget 
differentiated from the main page: "/Do I understand that you are 
suggesting treating an unknown party with first-party status, so long as 
the user knows that party differs from the main page yet interacts 
anyway? Even for an entirely unbranded widget, just so long as it is 
clearly not from the primary first party?/"

To the latter point, example 9 makes the advertised brand a first party. 
Is that really the extent of user expectation when they click on an ad? 
What if the ad has a tag that says "Ads by SomeAdNetwork?" What if 
there's an icon w/ an interstitial that discloses the parties involved 
in serving the ad? What about all of the other parties potentially 
involved in serving the ad. I'm sure there are other examples where we 
could infer consent (or reasonable expectation) from something other 
than communication or interaction. We need to take that into account.

Communicating or interacting with a "clearly identifiable entity" is not 
a slam dunk to identify a first party (or to grant consent to any 
party). Maybe it could be if you use it very narrowly, and identify a 
small number of 1st parties, but you then still have a big problem of 
working out when and how 3rd parties get consent. (You also create a 
host of unintended consequences.) Although the examples do a great job 
of pointing to issues and presenting possible places where lines could 
get drawn, I don't think they sufficiently illuminate what the standard 
really is.

An unambiguous standard, that can be applied independently and 
confidently, will have clearly defined terms. Below are elements I can 
extrapolate from the examples and other discussion and that might go 
into such a definition:

  * Interaction/communication
  * Connection between the interaction and expected result or consequences
  * Intent
  * Identification or differentiation from the surrounding content
  * Brand recognition
  * Prior relationship

Really, I think these go to indications of consent. But whether you look 
at it as consent or 1st vs 3rd party, there will remain a question as to 
the scope of authorized collection/use even after meeting the test. 
Also, of these, brand recognition and intent are really troublesome. 
They strike me as far too subjective to be part of a compliance spec.

See additional notes below:

> 3. The user recognizes the Twitter "Tweet this" button, and clicks it in
> order to share the article with their tweeps. Twitter is now a first
> party to this interaction. Google remains a third party.
What if the user does not recognize the Twitter button and clicks it 
anyway? In this case or in the URL shortener case -- or any case where 
the user might not understand she is interacting with a third party -- 
what type of notice is required? Relying on brand recognition seems 
impossible to me. It's too subjective by user, varies by geography and 
other contexts, and even if recognized the user still will not 
necessarily understand the relationship between parties.
> 4. The user loads a new article. An advertisement loads, and begins
> playing loud music. The user clicks the ad's mute button. The ad is at
> all times a third party.
> 5. The user loads a new article. An advertisement loads, and begins
> playing loud music. The user clicks the ad's mute button. The ad is at
> all times a third party.
> 6. The user loads a new article. An advertisement loads, and renders in
> front of the text of the article, obscuring it. The user clicks a
> "close" button on the ad to dismiss it. The ad is at all times a third
> party.
The principle behind these three seems to be that you can't trick a user 
into giving consent by inducing a click through tricky or invasive 
practices.
> 8. The user visits a site with a clearly-branded Accuweather.com weather
> widget. The user recognizes the branding, and clicks on the widget to
> get more weather information. Accuweather.com is a first party to that
> interaction.
Again, what if it's clearly branded, but the user doesn't recognize it 
as a 3rd party to the current site? What will constitute adequate 
differentiation from the 1st party?
> 9. A user sees an advertisement for Chips Ahoy cookies. The user wants
> to buy some cookies, so they click the ad. The Nabisco is a first party.
> Nabisco may have hired many advertising companies as vendors.
This is generally not how it works. Nabisco might have hired an agency 
that hired a DSP that buys 3rd party data and integrates with an 
exchange. I think it will be hard to say Nabisco owns the data, or that 
it's only a chain of siloed vendor relationships. Many parties might be 
involved. If a click on an ad only imparts consent to the advertiser and 
its vendors/agents, we're going to break a lot of stuff. And I don't 
think that's a reasonable result. But maybe that wasn't the intent here, 
if a click also gives consent to 3rd party in addition to transforming 
the advertiser into a 1st party.
> 10. A user sees a tweet which says "Check out this awesome NYT article
> bit.ly/1234". The user clicks the link, expecting to be redirected by
> bitly to the New York Times. Twitter, bitly and the New York Times are
> all first parties to this interaction.
Why bit.ly? Is it because we assume the user knows what bit.ly is? Even 
if the user knows what it is, does the user know they collect data about 
the user's clicks? What if it's a link shortener or other type of 
redirect the user is not familiar with? And what will the consequences 
be of a standard based on familiarity or recognition? How will that 
favor some companies/technologies over others? How will it change over 
time? And how will a company know when it has "graduated" into being 
familiar enough?
> 11. A user sees a tweet which says "Check out this awesome NYT article
> nyti.ms/1234". The user recognizes that that this is a link to the New
> York Times, but doesn't know that the New York Times has hired bit.ly to
> do URL shortening. The user clicks the link, expecting to be redirected
> by a shortener to the New York Times. Twitter and the New York Times are
> all first parties to this interaction. bit.ly is a service provider for
> the New York times.
Is it? Doesn't that depend on the nature of the relationship between the 
two? Some have suggested that a certain type of contract must be in 
place for this to be true. I don't take that position, but the point is 
this doesn't get at a re-usable underlying principle.
> 12. A user clicks a links which says "Awesome NYT Article" and points to
> framing.com/nyt1234. This page loads nothing but a frame which contains
> a New York Times article, but all links are rewritten to pass through
> framing.com rather than pointing at other NYT articles. The New York
> Times is a first party. Framing.com is a third party.
Why? In comparison to the bit.ly example, is the distinction that the 
URL was exposed rather than hidden in a link? Does the user have any 
other relationship with framing.com?
> 13. The user clicks one of these links to go to another NYT artcile, and
> gets directed to framing.com/nyt1235. The New York Times is a first
> party. Framing.com is a third party.
Also to note in 12 and 13: how will NYT know it's a first party in these 
circumstances?
Received on Tuesday, 15 November 2011 18:49:42 UTC