Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88) from Justin Brookman on 2012-01-06 (public-tracking@w3.org from January 2012)

From: Justin Brookman <justin@cdt.org>
Date: Fri, 06 Jan 2012 10:20:13 -0500
CC: public-tracking@w3.org
Message-ID: <4F07112D.3090903@cdt.org>
A couple thoughts:

On 1/5/2012 5:50 PM, Jonathan Mayer wrote:
>
> On Jan 5, 2012, at 8:33 AM, Justin Brookman wrote:
>
>> I would revise the definition of first party to "A first party is, in 
>> a specific network interaction, the operator of the domain with which 
>> the user intended to communicate."
>
> On "the operator of the domain":
> You're glossing over the (crucial) definition of "party."  What's an 
> "operator of [a] domain"?  PS+1 corporate ownership/control?

I gloss over the definition of party because it's addressed elsewhere.  
But you're right, I should have said, "A first party is, in a specific 
network interaction, /the party that operates the domain/ . . ."

> On "with which the user intended to communicate":
> Tom and I drafted objective definitions that require a universal, 
> straightforward, testable judgement about party divisions and party 
> status.  Subjective standards are unworkable - we can't expect a 
> website to understand each user's mental state.
I don't see how "with which the user intended to communicate" is any 
more subjective than "that can infer with high probability that the user 
knowingly and intentionally communicated with it."  I'm not wedded to my 
language, but I think tying intent to the specific domain the user's 
trying to get to instead of the more vague concept of who the user is 
might be trying to "communicate with" on any given domain is more 
precise and will make implementation simpler.

>> I would remove the entire section about multiple first parties as I 
>> do not believe a realistic example has been presented where that 
>> would ever be the case.  In the example of the craigslist/Google Maps 
>> mashup, whichever of the two is the actual operator of the domain 
>> should be the first party and the other would be the third party (or, 
>> if an entirely different entity operates the mashup, as appears to be 
>> the case at HousingMaps.com <http://HousingMaps.com>, the operator of 
>> HousingMaps is the first party and craigslist and Google are third 
>> parties if they're present at all).
>> Third parties can still become first parties if their content is 
>> clearly branded and a user meaningfully interacts with the content.  
>> Writing a spec for the extreme and unprecedented edge case 
>> facebookandmoviefonebothrunthisdomain.com 
>> <http://facebookandmoviefonebothrunthisdomain.com> will cause more 
>> uncertainty and invite abuse while not solving an actual problem.  
>> Domains have one operator; until co-registration becomes an option, 
>> sticking with one first party makes sense.
>
> Here's a different multiple first-party use case to motivate the 
> issue: examplecompany.tumblr.com <http://examplecompany.tumblr.com>. 
>  It's quite clear that both Example Company and Tumblr are providing 
> content.
Tumblr is the first party and Example is a third party.  I don't expect 
Example to track me on their Facebook page, their Tumblr, or if they 
post an ad in Craigslist that I visit.  In practice, I don't believe 
passive tracking on third-party platforms is common.  I would be willing 
to make exceptions for otherwise third parties that are /proactively 
/mashed up by the user (added to an aggregator), though I agree that the 
privacy implications are less concerning than the practical 
implementation (and the related who-the-hell-embedded-my-content question).
>> I would also add .url shortener services as a specific example of a 
>> third party with which the user was not intending to communicate.
>
> Tom and I left URL shortening services as an open ISSUE.  I support 
> moving them into the common use cases discussion as, in general, third 
> parties.
This is more in response to Heather, but I can't think of a single URL 
shortener scenario that looks like a first-party interaction.  If I read 
this on Twitter: "Neat WSJ story on #privacy in the cloud: goo.gl/eT3d" 
and click on the link, I think the WSJ is the first party and Google is 
a third party.  I'm clearly not trying to interact with Google --- 
someone just used that service to get under 140 characters, and I could 
care less whether they used bit.ly, j.mp, t.co, c.dt or anything else.

>> Justin Brookman
>> Director, Consumer Privacy Project
>> Center for Democracy&  Technology
>> 1634 I Street NW, Suite 1100
>> Washington, DC 20006
>> tel 202.407.8812
>> fax 202.637.0969
>> justin@cdt.org
>> http://www.cdt.org
>> @CenDemTech
>> @JustinBrookman
>>
>> On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote:
>>> Understood. I took my own notes, and we'll work from the minutes. If 
>>> others would like to write up their proposed changes, that would be 
>>> most helpful,
>>>
>>> Jonathan
>>>
>>> On Jan 4, 2012, at 3:46 PM, David Singer <singer@apple.com 
>>> <mailto:singer@apple.com>> wrote:
>>>
>>>> To be clear, I only provide the edits I personally suggested;  I 
>>>> think all of us were asked to be precise about what we were 
>>>> suggesting, and I didn't do anyone else's suggestions.
>>>>
>>>> On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote:
>>>>
>>>>> Thanks for taking notes. Tom and I will revise the text to 
>>>>> incorporate what we heard on today's call. Much of the focus was 
>>>>> on the edge cases of mashups and inadvertantly embedded content - 
>>>>> which strongly suggests to me that we're very close to consensus.
>>>>>
>>>>> The two outstanding high-level concerns that I recall are:
>>>>>
>>>>> 1) Are the standards we provide workable in practice? I believe 
>>>>> close calls will be very rare, and only companies gaming the 
>>>>> margin would have to consider surveying users. Heather was less 
>>>>> sure. Heather, could you suggest a few common use cases that lead 
>>>>> to a difficult analysis under the draft's standards?
>>>>>
>>>>> 2) Shane suggested (and a few supported) moving to a 
>>>>> user-is-able-to-discover-information standard for what's a party 
>>>>> and what's a first or third party. Shane, could you briefly sketch 
>>>>> what this standard might look like and give a few examples where 
>>>>> it would work a different result from our user expectations standard?
>>>>>
>>>>> Jonathan
>>>>>
>>>>> On Jan 4, 2012, at 1:27 PM, David Singer <singer@apple.com 
>>>>> <mailto:singer@apple.com>> wrote:
>>>>>
>>>>>> Here are my comments/suggestions, after this morning's call.
>>>>>>
>>>>>> 1) section 2.1.  Make clear that the user is a party, or 
>>>>>> specifically say that the definition defines parties that may be 
>>>>>> 1st or 3rd.
>>>>>>   also raise an issue for a clear definition of what falls into 
>>>>>> the 2nd party?? (e.g. software or other agents acting on the 
>>>>>> user's behalf??)
>>>>>>
>>>>>> 2) section 2.1.  Consider adding the condition that two separate 
>>>>>> legal entities cannot be considered a single party (in our context).
>>>>>>
>>>>>> 3) section 2.1.  Add an issue that we may want to strengthen the 
>>>>>> definition to the point where it is testable.
>>>>>>
>>>>>> 4) section 4.1.  Make the definitions of what is a 1st party a 
>>>>>> list of conditions, all of which apply.
>>>>>>
>>>>>> 5) section 4.1.  Add to the list of conditions:
>>>>>>   a) the user must be directly aware of the existence and 
>>>>>> identity of a separate entity, prior to their interaction.
>>>>>>   b) the user's makes an independent choice to 
>>>>>> communicate/interact with the entity.
>>>>>>
>>>>>> Counter-examples to (a) are a weather or other widget with no 
>>>>>> obvious branding or other evidence to show it came from another 
>>>>>> organization or entity; the user is not aware of a separate 
>>>>>> identity behind it.
>>>>>> Counter-examples to (b) are where sites are mash-ups of 
>>>>>> unpredictable sources; the user, by visiting the mash-up, chose 
>>>>>> only the mashing site as the first party; until the user 
>>>>>> interacts further, the mashed sites are third parties (and rule 
>>>>>> (a) applies as well - the user must be aware that they are mashed 
>>>>>> in, and not sourced by the mashing site).
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote:
>>>>>>
>>>>>>> Tom and I have worked for several weeks on a comprehensive draft 
>>>>>>> of the sections delineating first parties and third parties.  We 
>>>>>>> attempted to reflect the approaching-consensus discussion at 
>>>>>>> Santa Clara and on the email list.  Our draft includes both 
>>>>>>> operative standards language and non-normative explanation and 
>>>>>>> examples.  The text is formatted with the W3C template to better 
>>>>>>> resemble how it would appear in the final document; please note 
>>>>>>> that this is /not/ an Editor's Draft (as the template might 
>>>>>>> suggest).
>>>>>>>
>>>>>>> Jonathan
>>>>>>>
>>>>>>> <parties-draft-jm-tl.html>
>>>>>>>
>>>>>>
>>>>>> David Singer
>>>>>> Multimedia and Software Standards, Apple Inc.
>>>>>>
>>>>
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>>
>
Received on Friday, 6 January 2012 15:20:45 UTC