W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

From: Justin Brookman <justin@cdt.org>
Date: Tue, 10 Jan 2012 15:58:49 -0500
Message-ID: <4F0CA689.4060900@cdt.org>
To: public-tracking@w3.org

> If I understand correctly, you are proposing two additional limits on 
> first parties.  First, there can only be at most one first party per 
> web page.  Second, if there is a first party for a web page, it can 
> only be the party listed in the registration for the PS+1 in the 
> browser's URL bar.  I have reservations about both of these 
> limitations, but before going there, I want to make sure we're on the 
> same page.
Yes, that it my suggestion, though a visible browser URL bar is not 
necessary.
>>> On "with which the user intended to communicate":
>>> Tom and I drafted objective definitions that require a universal, 
>>> straightforward, testable judgement about party divisions and party 
>>> status.  Subjective standards are unworkable - we can't expect a 
>>> website to understand each user's mental state.
>> I don't see how "with which the user intended to communicate" is any 
>> more subjective than "that can infer with high probability that the 
>> user knowingly and intentionally communicated with it."  I'm not 
>> wedded to my language, but I think tying intent to the specific 
>> domain the user's trying to get to instead of the more vague concept 
>> of who the user is might be trying to "communicate with" on any given 
>> domain is more precise and will make implementation simpler.
>
> I want to unpack two points here.
>
> First, on subjectivity vs. objectivity: The text Tom and I drafted is 
> objective.  It *does not* ask a website to understand each user's 
> mental state.  Rather, it expects a website to have an understanding 
> of how its audience, in the aggregate, expects to interact with it. 
>  In almost all cases the answer is very straightforward.  The text you 
> are proposing, on the other hand, is subjective.  It *does* ask a 
> website to know what each user is thinking.  That's clearly 
> unworkable, and I understand why it's a non-starter for many around 
> the table.
Uh, I'm not sure how you interpret your definition as an objective 
aggregate subjective understanding and mine as an individualized 
subjective understanding since both refer to "the user" in any 
individual transaction.  I think both definitions are trying to get to a 
reasonable user's expectations in any specific scenario (which millions 
of users will go through individually).  Maybe: "A first party is, in a 
specific network interaction, the operator of the domain with which a 
reasonable user would have intended to communicate."  (Working group 
members have suggested corporate structure as a means to avoid 
subjective "reasonable expectations" around what constitutes a common 
"party," but I haven't seen an effort to come up with a truly objective 
test on which parties are /first/ parties.)

> Second, on your reliance on domains: I think it's unwise to turn our 
> "first party" definition on what's in the URL bar.  Visible domain 
> names - and URLs - are slowly going the way of the dinosaur.  Many 
> browsers now feature a URL bar-free or URL bar-hidden mode, and mobile 
> apps rarely show the user which websites they're communicating with.
I don't care if the URL is visible or not.  As I understand how the web 
is structured, there is a primary domain that hosts the content of a 
particular page, and it may or may not embed third party content.  The 
operator of that domain is the first-party.  I am not a web developer so 
my understanding may well be wrong, but I haven't seen a use case that 
disabuses me of this notion yet (not saying they don't exist).
>> In practice, I don't believe passive tracking on third-party 
>> platforms is common.
>
> Some platforms (e.g. Facebook) limit custom HTML, CSS, and JavaScript, 
> mooting the issue.  But some (e.g. Tumblr) tout their support for 
> tracking content - see http://www.tumblr.com/docs/en/google_analytics. 
>  We will have to address this.
I prefer the certainty provided by a one first-party model.  A 
first-party platform could still provide aggregate data about subdomain 
usage to their customers, whether calculated by the first party itself 
or a service provider (to the first party, not the third party).
Received on Tuesday, 10 January 2012 20:59:30 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:23 UTC