W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Parties and First Party vs. Third Party (ISSUE-10)

From: Sean Harvey <sharvey@google.com>
Date: Wed, 14 Mar 2012 00:32:53 -0400
Message-ID: <CAFy-vuc2oAz1WVPbNZKJjDPFQMQXC7aDR7qY5pk_JA3Lpzy_ng@mail.gmail.com>
To: Jonathan Mayer <jmayer@stanford.edu>
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Thanks Jonathan. I have been far from alone in espousing a corporate
affiliation plus discoverability approach. As Shane from Yahoo and others
have indicated on this list and in direct meetings, it is not the job of
this standards committee to break up the multi-brand approach of many
companies on the web. This is not an issue of my and Heather's objection,
there is a broad disagreement with you on this topic that we can discuss
further in a weekly meeting.

On Wed, Mar 14, 2012 at 12:30 AM, Jonathan Mayer <jmayer@stanford.edu>wrote:

> Sean,
> I've heard both you and Heather express hesitation to adopt a branding
> approach.
> To situate the discussion, we've had (for some time) four options for
> delineating parties and first parties vs. third parties: domain names,
> corporate affiliation, branding, and user expectations.  See
> http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html.
> Domain names have been, I think it's very fair to say, thoroughly rejected
> as over- and underinclusive.  Corporate affiliation is a deal breaker for
> many privacy advocates given how it has been abused in other privacy
> regulatory regimes.  Many industry participants view a user expectations
> approach as unworkable.  (I disagree, and despite persistent grousing I
> *still* have not seen a concrete example of how the approach is
> unworkable.)  Branding is the only option that remains, and the discussion
> surrounding ACTION-123 and ACTION-124 both on- and off-list was very
> positive.
> Given that context, could you please explain your concern and propose a
> better option?
> Jonathan
> On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote:
> Just to be very clear we absolutely do not have consensus on 2 or 3, nor
> are we near consensus on those points. Easy discoverability was the main
> issue to my knowledge.
> On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu>wrote:
>> We agreed in Brussels that:
>> 1) If two entities are not related by corporate affiliation, they are not
>> part of the same party.
>> From discussion on the mailing list, I think we are very close to
>> consensus on three other points:
>> 2) Branding should determine party boundaries.
>> 3) Branding should determine first parties and third parties.
>> 4) An entity must make "discoverable" the other entities that it
>> considers part of the same party.
>> We do not have consensus on a final issue:
>> 5) If two entities are related by corporate affiliation, are they part of
>> the same party?
>> I've taken a stab at text that captures these five points.  It is based
>> on the current TCS document, the DAA principles, my proposal with Tom, and
>> the CDT proposal.
>> --------------------------------------------------
>> I. Definitions
>> A. Network Interaction
>> A "network interaction" is an HTTP request and response, or any other
>> sequence of logically related network traffic.
>> B. Entity
>> An "entity" is any commercial, nonprofit, or governmental organization, a
>> subsidiary or unit of such an organization, or a person.
>> C. Affiliation
>> If an entity holds significant ownership in or exercises significant
>> operational control over another entity, they are "affiliated."
>> D. Party
>> A "party" is any group of entities that:
>> a) consistently presents common branding throughout each entity, and
>> b) is related by affiliation.
>> [there is debate over whether to flip the "and" to an "or"]
>> E. First Parties and Third Parties
>> A "first party" is any party, in a specific network interaction, that
>> brands content that occupies the full window.
>> A "third party" is any party, in a specific network interaction, that
>> does not brand content that occupies the full window.
>> II. Transparency Requirement
>> A. Operative Text
>> A party must make reasonable efforts to ensure users can discover which
>> entities it encompasses.
>> B. Non-Normative Discussion
>> A list of entities in a privacy policy would ordinarily satisfy this
>> requirement.
> --
> Sean Harvey
> Business Product Manager
> Google, Inc.
> 212-381-5330
> sharvey@google.com

Sean Harvey
Business Product Manager
Google, Inc.
Received on Wednesday, 14 March 2012 04:33:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:46 UTC