W3C home > Mailing lists > Public > public-tracking@w3.org > June 2012

Re: Considering browser vendor as a third party

From: Justin Brookman <justin@cdt.org>
Date: Thu, 07 Jun 2012 17:14:59 -0400
Message-ID: <4FD119D3.5090208@cdt.org>
To: public-tracking@w3.org
The current text says that first parties are parties that the user is 
intending to communicate "with."  Browsers, ISPs, hardware, and mobile 
OSs are more what the user is trying to communicate "through," though I 
don't know that that logically makes them third parties.  We do need to 
distinguish between the client side software --- which is often going to 
"track" (think browser history) --- and the browser company's servers 
where the info could be sent.  I think the desired result from DNT:1 
would be that your own browser, OS, or other software agent could track 
but that the parent company couldn't get the data outside the permitted 
exceptions (Vincent's Chrome example from below could be permissible 
under a number of rationales depending on the facts and the eventual 
standard: security, deidentified data, two-week grace period, 
user-granted exception, etc.).  When the user agent is really just an 
agent, it's more of an extension of the user, basically the second party 
(sorry, Heather!).  But I think the text could be revised to better make 
these distinctions.

Justin Brookman
Director, Consumer Privacy
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 6/7/2012 4:44 PM, Chris Pedigo wrote:
> So, not to pick on MS, but suppose a consumer is using IE 10 with DNT ON.  Would MS be a first party wherever the user went on the web?  And, therefore, able to track that user as a first party and even share the behavioral data with MS Advertising?
>
>
> -----Original Message-----
> From: Tom Lowenthal [mailto:tom@mozilla.com]
> Sent: Thursday, June 07, 2012 4:40 PM
> To: TOUBIANA, VINCENT (VINCENT)
> Cc: public-tracking@w3.org
> Subject: Re: Considering browser vendor as a third party
>
> I don't think that it makes sense to think of the UA as a third party.
> Perhaps we should ponder an online service to which the browser sends info like this?
>
> In any event, the browser knows the user's tracking preference, and can tailor whether and what to report based on user choice.
>
> On 06/06/2012 04:01 PM, TOUBIANA, VINCENT (VINCENT) wrote:
>> In the discussions about first and third parties I do not recall that we considered the browser vendor as a potential tracking entity. But in some cases the browser vendor -- or a service enabled by default in the browser -- could track partially the user to enforce security and/or improve a product.
>>
>> For instance, starting Chrome 15 Google could collect URLs of potentially risky sites to improve the quality of Safe Browsing and other Google services (see the relevant section from the privacy policy below).
>> I believe that Google is not using these logs to track users but just to improve Safe Browsing. Also it seems that they delete everything but the URL after two weeks.
>>
>> Yet, just reading the privacy policy one could understand that Safe Browsing logs could be used to track users.  More generally, I don't think we raised the issue of browser phoning home to send data that could be used for product improvement. In this scenario, I think the browser vendor should be treated as a third party.
>>
>> Vincent
>>
>>
>> Extract of Safe Browsing privacy policies (http://www.google.com/intl/en_us/privacy/browsing.html):
>> "In addition, Google Chrome versions 15 and later include Safe Browsing technology that can identify potentially risky sites and executable file downloads not already known by Google. In conjunction with this technology, information regarding a potentially risky site or executable file download, including the full URL of the site or executable file download, may be sent to Google to aid in determining whether the site or download is malicious. Google does not collect any account information or other personally identifying information as part of this contact, but does receive standard log information, including an IP address and one or more cookies."
>>
>
>
>
Received on Thursday, 7 June 2012 21:15:29 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:30 UTC