W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

FW: ACTION-267 - Propose first/third party definitions from existing DAA documents

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 11 Oct 2012 16:07:26 +0100
To: <public-tracking@w3.org>
Message-ID: <021a01cda7c2$20093220$601b9660$@baycloud.com>
Hi David,

 

So we now have 1) a EU based "compliance regime" that's says DNT:1 should be
assumed by default and 1st party should react as if they were 3rd p, 2) a
W3C "consensus" where DNT unset is the default and 1st parties have an
easier ride than 3rd parties and 3) a DAA/IAB US/and others lobby who hold
that 2) is unfair and not a level playing field.

 

So why not just support 1. The only difference with your position is the DNT
default case, which is hard to explain to outsiders and cannot be avoided in
Europe anyway. 

 

Mike

 

 

From: David Wainberg [mailto:david@networkadvertising.org] 
Sent: 11 October 2012 15:27
To: Jeffrey Chester
Cc: Mike Zaneis; Thomas Roessler; Aleecia McDonald; Matthias Schunter;
Rachel Thomas; Craig Spiezle; public-tracking@w3.org; Kimon Zorbas
Subject: Re: ACTION-267 - Propose first/third party definitions from
existing DAA documents

 

Jeff,

I've raised this several times before. You've not addressed it, and you
continue to repeat the same thing. Tell me how focusing primarily on third
parties is a compromise. With whom did you make this compromise? The third
parties -- the primary targets of this standard -- do not see it as such and
have serious concerns about the competitive effects of the direction this
standard has been going. 

-David

On 10/11/12 8:22 AM, Jeffrey Chester wrote:

Dear Mike: 

 

As you and colleagues know, the privacy advocates have been willing to
engage in compromise in pursuit of a standard that would effectively protect
privacy.  We were willing to focus primarily on Third parties, consider
supporting the no-default approach, etc.  Indeed, just several weeks ago in
DC I spoke to the DAA's lobbyist.  At that time he praised the willingness
to compromise by the privacy groups working within the WC3.  He made it
clear that the industry objected to Microsoft's IE default.  I told him that
I was willing to discuss this issue (speaking only for my CDD) in the
context of a deal offering a stronger outcome (no unique cookies, etc).

 

However, the recent actions by the DAA/IAB show the US online ad trade
groups are working to derail the W3C standards process.  The recent
strong-arm tactics against Microsoft taken by the ANA and DAA (with IAB US
support) are designed to intimidate companies trying to be responsible on
the privacy issue.  The move last week by the DAA to have all marketing and
advertising declared acceptable practices ("Marketing.is as American as
apple pie")  illustrates the failure of US online ad industry leaders to
accept responsibility for its pervasive data collection practices.  

 

If the W3C cannot develop a meaningful standard for DNT, the failure to do
so is due to the intransigent position of the DAA.  It is a lost
opportunity.  

 

Regards,

 

Jeff

 

 

 

Jeffrey Chester

Center for Digital Democracy

1621 Connecticut Ave, NW, Suite 550

Washington, DC 20009

www.democraticmedia.org

www.digitalads.org

202-986-2220

 

On Oct 10, 2012, at 6:39 PM, Mike Zaneis wrote:

 

Jeff,

 

I really do enjoy revisiting the IE10/browser default/non-compliant DNT
signal issue every couple of months because it gives me the opportunity to
just recycle my old emails on the subject. Please see my previous email
below on the matter, which references your previous agreement that we should
not honor default "on" browser settings:

 

 

Jeff,

 

I hate to revisit an issue that has been closed at least twice before, the
first time being way back in September, but you again raised the browser
default setting issue and its place in the W3C standards process -
http://www.chicagotribune.com/news/tribnation/chi-reporting-privacy-vs-profi
ts-on-internet-browsers-20120726,0,5932169.story.  The story is about the
W3C TPE Working Group and how Microsoft has decided to ship IE10 with the
DNT flag turned on.  I was extremely disappointed to see your quote that
industry would face a "bloody virtual and real-world fight" if we did not
honor such a default.  That flies in the face of your statement from last
month (see below to refresh your memory).

 

I have to question whether you are negotiating at the W3C in good faith.  If
the industry is to be attacked and engaged in a bloody fight even if we
develop and adopt a W3C standard, then what is the incentive for us to
remain at the table?  Can you please clarify your position on this vitally
important issue.

 

Mike Zaneis

SVP & General Counsel

Interactive Advertising Bureau

(202) 253-1466 <tel:%28202%29%20253-1466> 

 

Follow me on Twitter @mikezaneis

 

 

From: Jeffrey Chester [mailto:jeff@democraticmedia.org] 
Sent: Sunday, June 03, 2012 5:41 PM
To: Shane Wiley
Cc: Roy T. Fielding; Justin Brookman; public-tracking@w3.org
Subject: Re: ISSUE-4 and clarity regarding browser defaults

 

I support what the working group agreed to, with DNT not being shipped as
on.  That is part of the set of compromises we have agreed to within the
working group.  I was surprised as everyone else with Microsoft's
announcement.  I was just responding the tone of some of the comments in the
press where various industry players suggest that Microsoft is a digital
Benedict Arnold.  That said, we need to conclude this work with agreement on
definition for policy.  I still believe there is a win-win here that can be
achieved.  If we can all agree on meaningful final policy, it will be the
norm which everyone should abide.  

 

So to be clear.  I am not trying to undo the agreement and urge us to stay
in discussions.  

 

But it sounds like there will be a lot of sleeplessness in Seattle!  Those
Microsoft people better lock their doors!

 

Regards,

 

Jeff

 

 

 

Jeffrey Chester

Center for Digital Democracy

1621 Connecticut Ave <x-apple-data-detectors://4> , NW, Suite 550

Washington, DC 20009 <x-apple-data-detectors://5> 

www.democraticmedia.org <http://www.democraticmedia.org/> 

www.digitalads.org <http://www.digitalads.org/> 

202-986-2220

 

On Jun 3, 2012, at 4:44 PM, Shane Wiley wrote:





Jeff,

 

I thought we had solved this issue sometime ago at the beginning of the
working group:  opt-in vs. opt-out.  By moving the UA to default to DNT:1
without an explicit user action, you're creating an opt-in world.  I
understand you like that end-point, but if you're unwilling to move back to
the originally agreed upon opt-out structure, I suspect industry
participants may leave the working group.  A pure opt-in outcome will have
devastating impact to the online ecosystem, will prompt many to develop
overly inclusive opt-in approaches, and ultimately consumers lose after
being barraged with a sea of opt-in requests.  I'm saddened by this sudden
180 on this very key perspective but hopefully saner minds will prevail.


In my opinion, we need to resolve this fundamentally core issue prior to
moving forward on any other issues at the TPWG.  Please let me know if you
agree.

 

Thank you,

Shane

 

 


Mike Zaneis 

SVP & General Counsel, IAB

(202) 253-1466

 

 

On Oct 10, 2012, at 11:52 AM, "Jeffrey Chester" <jeff@democraticmedia.org>
wrote:

I have to say I am dismayed that colleagues from the US online marketing
community are trying to replace the W3C multistakeholder process with a
system devised exclusively by the online ad industry.  As I mentioned during
last week's f2f, NGOs and other civil society groups across the Atlantic
have criticized the DAA system as inadequate.  Leading computer science and
other researchers have also repeatedly shown how lacking and ineffective it
is.  Indeed, just two weeks ago in DC I asked Ms. Thomas if there had been
any testing done for design and usability of the system--including by
independent bodies.  The answer was basically there was no such usability
and independent review.  As we all know, the user experience online is
tested and  "optimized" to move them through a digital data collection
funnel-- in order to achieve the required "conversion."  Until such
independent testing of the DAA system to show that it can effectively inform
and empower online users about their privacy choices-- in the face of a
purposefully powerful and designed interactive experience--the W3C would be
remiss adopting it in all or in part. 

 

In addition, yesterday's announcement by the DAA that it would, in essence,
condone a boycott of DNT requests from users relying on the IE browser (or
other browsers adopting privacy by design frameworks), suggests there is a
political motivation that should be addressed by the group and W3C (inc. Mr.
Berners-Lee).  Instead of developing the best technical standard through
expert and objective international standards work, we appear to now confront
a political agenda designed to maintain the data collection and user
targeting status quo.  The W3C needs to do better than be silent about these
recent developments.

 

 

 

 

Jeffrey Chester

Center for Digital Democracy

1621 Connecticut Ave, NW, Suite 550

Washington, DC 20009

www.democraticmedia.org <http://www.democraticmedia.org/> 

www.digitalads.org <http://www.digitalads.org/> 

202-986-2220

 

On Oct 10, 2012, at 10:57 AM, Kimon Zorbas wrote:

 

Dear all,

 

to add some European flavour, here what we use in our OBA Framework,
matching European law. We call First Parties "Web Site Operators". W3C can
of course use this wording, we have the full rights to it.

 

Third Party

An entity is a Third Party to the extent that it engages in Online
Behavioural Advertising on a web site or web sites other than a web site or
web sites it or a an entity under Common Control owns or operates.

 

Web Site Operator

A Web Site Operator is the owner, controller or operator of the web site
with which the web user interacts.

 

Control

Control of an entity means that another entity (1) holds a majority of the
voting rights in it, or (2) is a member of it and has the right to appoint
or remove a majority of its board of directors, or (3) is a member of it and
controls alone, pursuant to an agreement with other members, a majority of
the voting rights in it, or (4) has placed obligations upon or otherwise
controls the policies or activities of it by way of a legally binding
contract, or (5) otherwise has the power to exercise a controlling influence
over the management, policies or activities of it, and "Controlled" shall be
construed accordingly.

 

Common Control

Entities or web sites under Common Control include ones which Control, for
example parent companies, are Controlled by, such as subsidiaries, or are
under common Control, such as group companies. They also include entities
that are under a written agreement to process data for the controlling
entity or entities, and do such processing only for and on behalf of that
entity or entities and not for their own purposes or on their own behalf.

 

 

For other UA, we capture them through the following wording:

To the extent that Companies collect and use data via specific technologies
or practices that are intended to harvest data from all or substantially all
URLs traversed by a particular computer or device across multiple web
domains and use such data for OBA, they should first obtain Explicit
Consent.

 

Kind regards,

Kimon

 

From: Rachel Thomas <RThomas@the-dma.org>
Date: Wednesday 10 October 2012 16:48
To: Craig Spiezle <craigs@otalliance.org>, "public-tracking@w3.org"
<public-tracking@w3.org>
Subject: RE: ACTION-267 - Propose first/third party definitions from
existing DAA documents
Resent-From: <public-tracking@w3.org>
Resent-Date: Wednesday 10 October 2012 16:43

 

Hi Craig, great question - let me try to clarify with some additional info
from the DAA principles.  Below is the definition of "affiliate" as well as
some commentary on the definition from the DAA's Self-Regulatory Principles
for Online Behavioral Advertising.  (Also, please note that while there is
not an explicit definition of "affiliate" included in the DAA's
Self-Regulatory Principles for Multi-Site Data, the same definition applies
in that context as well).

 

AFFILIATE

 

Definition: An Affiliate is an entity that Controls, is Controlled by, or is
under common Control with, another entity.

 

Commentary (relating to definitions of both "affiliate" and "control"):
These terms set an objective test to separate related First Party entities
from Third Parties and others. An Affiliate is defined as an entity that
Controls, is Controlled by, or is under common Control with, another entity.
The definition of Control sets out two alternative tests, which reflect a
commonly understood definition of a single entity. The first alternative
looks to whether one entity is under significant common ownership with the
other entity. The second alternative looks to whether one entity has the
power to exercise a controlling influence over the management or policies of
the other. In addition, each entity must be subject to Online Behavioral
Advertising policies that are not materially inconsistent with the other
entity's Online Behavioral Advertising policies. The combination of Control
and governance by similar Online Behavioral Advertising policies renders the
two entities Affiliates of each other.  

 

The tests for Control are unrelated to brand names. As a result, different
brands, if they otherwise meet one of the tests for Control, would be
treated as Affiliates rather than Third Parties.

 

The starting point for whether two or more affiliated consumer-facing Web
sites constitute a First Party under the Principles is whether the Web sites
are the same company. The use of the term Affiliate is intended to allow
affiliated companies that are in the same corporate family to share
information within that family as if they are the same company, thereby
benefitting from their collective assets. The treatment of Affiliates is not
intended to create a means for companies that are in reality unrelated in
corporate structure (and, therefore, that consumers would never expect would
be sharing information,) to avoid providing the choice required under these
Principles. In many cases companies can readily be transparent either in
branding on the Web sites or through clarity in the privacy notices of their
particular Affiliates. Assuming an entity otherwise meets the standard set
forth in the definition of Control, such practices would clearly satisfy and
permit inclusion in the definition of Affiliate. However, such branding on a
Web site or inclusion in a privacy notice is not required under the
Principles as in some instances the complexity of corporate affiliates
driven by corporate legal principles pose practical operational challenges.

 

And very best,

Rachel

 

 

 

From: Craig Spiezle [mailto:craigs@otalliance.org] 
Sent: Tuesday, October 09, 2012 11:58 PM
To: Rachel Thomas; public-tracking@w3.org
Subject: RE: ACTION-267 - Propose first/third party definitions from
existing DAA documents

 

This is helpful.

 

Just so we are all on the same page can you clarify affiliate vs.
non-affiliate.   Is it correct to assume affiliate means a wholly owned
entity?

 

So a Third Party who collects data from an affiliate is not a third party.
So this would or could mean a totally separate brand which the user has no
knowledge of?  

 

Thanks 

 

From: Rachel Thomas [mailto:RThomas@the-dma.org] 
Sent: Tuesday, October 09, 2012 1:16 PM
To: public-tracking@w3.org
Subject: ACTION-267 - Propose first/third party definitions from existing
DAA documents

 

Folks - As promised, I am submitting the Digital Advertising Alliance (DAA)
definitions of "first party" and "third party" for consideration / inclusion
in section 3.5
<http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#
first-third-parties>  ("First and Third Parties") of the W3C TPWG "Tracking
Compliance and Scope" document.  Below are both formal definitions and
related commentary from the DAA Self-Regulatory Principles for Multi-Site
Data
<https://www.aboutads.info/resource/download/Multi-Site-Data-Principles.pdf>
.

 

FIRST PARTY

 

Definition: A First Party is the entity that is the owner of the Web site or
has Control over the Web site with which the consumer interacts and its
Affiliates. 

 

Commentary: The actions of agents and other entities that similarly perform
business operations of First Parties are treated as if they stand in the
shoes of First Parties under these Principles and thus such actions are not
included in Multi-Site Data.

 

THIRD PARTY

 

Definition: An entity is a Third Party to the extent that it collects
Multi-Site Data on a non-Affiliate's Web site.

 

Commentary:  As described in the OBA Principles, in certain situations where
it is clear that the consumer is interacting with a portion of a Web site
that is being operated by a different entity than the owner of the Web site,
the different entity would not be a Third Party for purposes of the
Principles, because the consumer would reasonably understand the nature of
the direct interaction with that entity. The situation where this occurs
most frequently today is where an entity through a "widget" or "video
player" enables content on a Web site and it is clear that such content and
that portion of the Web sites is provided by the other entity and not the
First Party Web site. The other entity (e.g. the "widget" or "video player")
is directly interacting with the consumer and, from the consumer's
perspective, acting as a First Party. Thus, it is unnecessary to apply to
these activities the Principles governing data collection and use by Third
Parties with which the consumer is not directly interacting. 

 

Very best,

Rachel

 

Rachel Nyswander Thomas

Vice President, Government Affairs

Direct Marketing Association

(202) 861-2443 office

(202) 560-2335 cell

 <mailto:rthomas@the-dma.org> rthomas@the-dma.org

 

Join us at DMA2012 Conference and Exhibition

The Global Event for Real-Time Marketers

October 13-18, 2012 | Las Vegas, NV

Register NOW & SAVE up to $200 | <http://www.dma12.org/> www.dma12.org

 

 

 

 
Received on Thursday, 11 October 2012 15:08:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC