W3C home > Mailing lists > Public > public-tracking@w3.org > April 2012

Re: Parties and First Party vs. Third Party (ISSUE-10)

From: Clay Webster <clay.webster@cbsinteractive.com>
Date: Thu, 5 Apr 2012 17:37:44 -0400
Message-ID: <CACOLfqekjeNMDFKXn8mQVpjOOmE1QkUQQ24jPvm1wsSsropkKA@mail.gmail.com>
To: Tracking Protection Working Group WG <public-tracking@w3.org>
Folks,

I thought it would be beneficial to share a use case of a business with
multiple brands and what the operations are like.  CBS has dozens of
brands.  Some overlap in complex ways.  For this example I only cover two
distinct brands: news.cnet.com (formerly news.com but now a sub-brand of
CNET) and www.cbsnews.com.  Many of the below points might be only okay if
we are first party to ourselves.  Some points would of course be fine in
any DNT context.  This is an example and not particularly proprietary or
limited to CBS.  There are many other dimensions in operating the sites,
but these seem to be the most illustrative.

   - The news.cnet.com and www.cbsnews.com brands are distinct and highly
   valued.
   - A few reporters post stories in both sites but this is usually
   restricted to the tech and some smaller portion of politics sections of
   cbsnews.com.
   - A small amount of content is the same and published to both sites, but
   accompanied by the [largely in-effectual] canonical URI.  This is not very
   common.  Stories may be more tailored by the same reporter with a different
   audience focus.
   - The tool which reporters, editors, and production staff use is the
   same.  Staff decide which site to publish to on a per-story basis.
   - The CMS and the engineers developing and supporting the CMS for both
   brands are the same.
   - The engineers developing and supporting the APIs for both brands are
   the same.
   - The developers for the front-end of the sites are generally not the
   same individuals (dedicated staff).
   - The technical operations staff (sys-ops, system programmers,
   troubleshooting) supporting both brands are the same.
   - The network operations and system administrators support both brands.
   - The search infrastructure is shared across both brands.
   - The content database is shared across both brands.
   - The code base, build system, deployment system, and application
   server, are all shared and co-mingled.
   - The applications are active/inactive (and vice-versa) on different
   ports on appservers.
   - The front-end Apache httpd is the same for both brands.
   - The internal ad system is the same and supported by the same staff for
   both brands.
   - The internal [com.com-based] logging, analytics, both logfiles and
   message queues are all shared.
   - The hadoop ETL system is shared.
   - The large data warehousing and analytics/reporting system are all
   shared.
   - The brands are in the same corporation, CBS Inc.
   - The brands are in the same business, CBS' online organization, CBS
   Interactive.
   - The brands are managed by the same two-headed GMs (who don't divide
   their work by brand).
   - The brands have roughly the same footer (though despite best efforts
   this isn't universal for all CBS sites).
   - The brands have approximately the same footer content listing all CBS
   Interactive sites.
   - The brands have the same copyright notice.
   - The brands have the same privacy policy.
   - Taken generally, the relationship between the brands is disclosed in
   multiple ways and easily discoverable.

This is one simple two brand example.  There are other complex examples.
When considering *additional* distinct brands and sub-brands in a partially
shared infrastructure, the definition of a first-party collector is clearly
very important.  It can add combinatorial complexity to some of the
collection/non-collection and data isolation issues.  (Or for a given
context make it logically impossible.) Data collection and processing is of
course already a ridiculously expensive and complex operation outside of
DNT. ;-)

--cw

Clay Webster
Associate Vice President, Platform Infrastructure
1200 Route 22 East, Bridgewater NJ 08807




On Wed, Mar 28, 2012 at 5:55 PM, David Singer <singer@apple.com> wrote:

>
> On Mar 28, 2012, at 11:35 , Lauren Gelman wrote:
>
> >
> > Is there consensus on (b).
>
> I thought so.  We discussed in Brussels the scenario: the user has a
> relationship with site A, and has agreed (for example) to their privacy
> policy. A has represented that site B is part of the same party, and data
> has passed from A to B.  B now does something contrary to the policy with
> the user's data.  The user complains to A (who they have a relationship
> with).  A *cannot* now respond "that's not me, that's someone else, take it
> up with them" because they previously claimed to be the same party.
>
> >
> > On Mar 27, 2012, at 4:44 PM, David Singer wrote:
> >
> >> After reading this thread, I am still unsure as to what concrete
> problem is being addressed.
> >>
> >> Did we not have requirements before that to be considered a single
> party, two sites must
> >> a) make that party relationship discoverable
> >> and
> >> b) have a legal relationship such that data flows between the sites are
> protected by the same obligations, duties etc. (I don't recall the
> phrasing).
> >>
> >> ?
> >>
> >>
> >> It seems that we need to cover the cases:
> >> * a 1st party asks for exceptions; I think it beholden on the party to
> explain how broadly this applies ("this permission is not just for the
> bogville chronicle, but all organizations in the BogNews group").
> >> * a 3rd party wants a web-wide exception; again, the same applies -
> explain to the user the affected properties;
> >> * a site that the UA doesn't immediately detect as the 1st party sends
> the return header "I am the first party" - the UA can check that they are,
> or smell a rat.
> >>
> >> Under what circumstances do we need something more than (and more
> subjective than) (a) and (b) above (suitably phrased), to meet these needs?
>  What does (for example) a 'branding' requirement add?
> >>
> >>
> >>
> >>
> >> David Singer
> >> Multimedia and Software Standards, Apple Inc.
> >>
> >>
> >
> > Lauren Gelman
> > BlurryEdge Strategies
> > 415-627-8512
> > gelman@blurryedge.com
> > http://blurryedge.com
> >
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
>
Received on Thursday, 5 April 2012 21:38:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:27 UTC