RE: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

Following on Justin's "domain operator" phrasing, we came up with a suggested definition for first parties (see below).  Also, we shouldn't dismiss domain registration without due consideration.  While imperfect, domain registration is a reasonable starting point for first party identification. To the extent any domain operator wants to claim the benefit of first party status, they have an incentive to update and correct domain registration information.  Further, WHOIS information is "reasonably discoverable" in most cases.  Finally, the below definition includes the term "affiliate," which I noted in another email is a commonly accepted term in commercial contract and securities law.  In our definition, however, "affiliates" must meet three tests in order to be considered first parties.

First Party and Third Party Definition:

A "domain operator" means the registered owner of the domain or an entity affiliated with the registered owner of the domain.  The affiliate MUST: 1) share common majority ownership or management control with the registered owner; and 2) disclose and adhere to policies with respect to the use and disclosure of user information that are substantially similar to those of the registered owner, and 3) disclose its affiliation with the registered owner through common branding or other clear and conspicuous means.

A "network interaction" is an HTTP request and response, or any other set of logically related network traffic.

A "first party" is the domain operator, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it.

A "third party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, in a specific network interaction, other than the first party or user.


From: Jonathan Mayer [mailto:jmayer@stanford.edu]<mailto:[mailto:jmayer@stanford.edu]>
Sent: Tuesday, January 10, 2012 5:28 PM
To: Justin Brookman
Cc: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)


On Jan 10, 2012, at 12:58 PM, Justin Brookman wrote:




If I understand correctly, you are proposing two additional limits on first parties.  First, there can only be at most one first party per web page.  Second, if there is a first party for a web page, it can only be the party listed in the registration for the PS+1 in the browser's URL bar.  I have reservations about both of these limitations, but before going there, I want to make sure we're on the same page.
Yes, that it my suggestion, though a visible browser URL bar is not necessary.

On "with which the user intended to communicate":
Tom and I drafted objective definitions that require a universal, straightforward, testable judgement about party divisions and party status.  Subjective standards are unworkable - we can't expect a website to understand each user's mental state.
I don't see how "with which the user intended to communicate" is any more subjective than "that can infer with high probability that the user knowingly and intentionally communicated with it."  I'm not wedded to my language, but I think tying intent to the specific domain the user's trying to get to instead of the more vague concept of who the user is might be trying to "communicate with" on any given domain is more precise and will make implementation simpler.

I want to unpack two points here.

First, on subjectivity vs. objectivity: The text Tom and I drafted is objective.  It *does not* ask a website to understand each user's mental state.  Rather, it expects a website to have an understanding of how its audience, in the aggregate, expects to interact with it.  In almost all cases the answer is very straightforward.  The text you are proposing, on the other hand, is subjective.  It *does* ask a website to know what each user is thinking.  That's clearly unworkable, and I understand why it's a non-starter for many around the table.
Uh, I'm not sure how you interpret your definition as an objective aggregate subjective understanding and mine as an individualized subjective understanding since both refer to "the user" in any individual transaction.  I think both definitions are trying to get to a reasonable user's expectations in any specific scenario (which millions of users will go through individually).  Maybe: "A first party is, in a specific network interaction, the operator of the domain with which a reasonable user would have intended to communicate."  (Working group members have suggested corporate structure as a means to avoid subjective "reasonable expectations" around what constitutes a common "party," but I haven't seen an effort to come up with a truly objective test on which parties are first parties.)

I think we may be talking past each other.  I mean "objective" as that term is used in the American legal system (and many other legal systems).  Hornbook law in a number of areas applies an objective reasonableness test (often anthropomorphized as an "ordinary person," "reasonable person," or "average person").  To the extent there's a little play at the margin, Tom and I adopted the "average user" formulation to clarify that survey data would be adequate to make a determination.

Second, on your reliance on domains: I think it's unwise to turn our "first party" definition on what's in the URL bar.  Visible domain names - and URLs - are slowly going the way of the dinosaur.  Many browsers now feature a URL bar-free or URL bar-hidden mode, and mobile apps rarely show the user which websites they're communicating with.
I don't care if the URL is visible or not.  As I understand how the web is structured, there is a primary domain that hosts the content of a particular page, and it may or may not embed third party content.  The operator of that domain is the first-party.  I am not a web developer so my understanding may well be wrong, but I haven't seen a use case that disabuses me of this notion yet (not saying they don't exist).

Three concerns.

First, if the URL bar is hidden, there may be a tenuous relationship between a webpage's domain and user expectations.  The user may have no idea which domain they've loaded content from.

Second, like the URL bar, the notion of a single, full-window webpage that embeds other resources is slowly fading.  Many apps (both mobile and desktop) load standalone frames or other resources over HTTP.  This is how the majority of mobile app ad libraries work, for example.

Third, I don't think it makes much sense to link our first party definition to domain registrations.  WHOIS information is often private, out of date, or just wrong (see https://community.icann.org/display/whoisreview/WHOIS+Background+Information).

I don't mean to be overly critical of the URL bar + WHOIS proposal.  I think it's a very useful rule of thumb that will give the right result in many - if not most - traditional webpage use cases.  I would strongly support clarifying that in the non-normative discussion.  (The current text reads: "There will almost always be only one party that the average user would expect to communicate with: the provider of the website the user has visited.")


In practice, I don't believe passive tracking on third-party platforms is common.

Some platforms (e.g. Facebook) limit custom HTML, CSS, and JavaScript, mooting the issue.  But some (e.g. Tumblr) tout their support for tracking content - see http://www.tumblr.com/docs/en/google_analytics.  We will have to address this.
I prefer the certainty provided by a one first-party model.

Could you explain your concerns more fully?  The language Tom and I drafted notes that there will "almost always be only one" first party, and multiple first parties only occur in "in rare cases."  I don't see much room for gaming that text.


A first-party platform could still provide aggregate data about subdomain usage to their customers, whether calculated by the first party itself or a service provider (to the first party, not the third party).

Setting aside issues of user expectations (where research is needed), I imagine some platforms and platform users would have concerns about this outcome.  I'll leave that to others to articulate.