W3C home > Mailing lists > Public > public-tracking@w3.org > September 2012

RE: Multiple First Parties

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 21 Sep 2012 12:50:46 -0700
To: Jeffrey Chester <jeff@democraticmedia.org>
CC: Lauren Gelman <gelman@blurryedge.com>, Vinay Goel <vigoel@adobe.com>, Rob Sherman <robsherman@fb.com>, Chris Pedigo <CPedigo@online-publishers.org>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C802620761D820@SP2-EX07VS02.ds.corp.yahoo.com>
Jeff,

Yes - there is information being shared in a single direction (not "interaction" though which I interpret as more of a "back and forth" process).  Yahoo! is not involved with ATT Adworks other than we provide the publishing platform where they can activate this program on their own (aka - we don't get the data!).

Rather than dive deep on the specifics of the Y!/ATT relationship though I suggest we up-level this back to a conversation of what are the necessary elements for a web-site to be deemed "multiple first party".  I believe the list I've laid out more than adequately covers the areas of concern we've discussed in the past (branding, TOS, PP).

- Shane

From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
Sent: Friday, September 21, 2012 12:35 PM
To: Shane Wiley
Cc: Lauren Gelman; Vinay Goel; Rob Sherman; Chris Pedigo; Justin Brookman; public-tracking@w3.org
Subject: Re: Multiple First Parties

I see Lauren found this and related and I may be reading this incorrectly.  But it looks like information sharing to me:


excerpt:  Information Collection and Use

General

 *   Yahoo! collects personal information when you establish an att.net<http://att.net> Powered by Yahoo! account, when you use att.net Powered by Yahoo! products or services<http://info.yahoo.com/privacy/us/yahoo/all/>, when you visit att.net<http://att.net> Powered by Yahoo! pages or the pages of certain partners, and when you enter promotions or sweepstakes<http://info.yahoo.com/privacy/us/yahoo/promotions/details.html>. Yahoo! may combine information about you that we have with information we obtain from business partners or other companies.
 *   When you register we ask for information such as your name, email address, birth date, gender, zip code, occupation, industry, and personal interests. For some financial products and services we may also ask for your address, Social Security number, and information about your assets. Once you create an att.net<http://att.net> Powered by Yahoo! account and sign in to our services, you are not anonymous to us.
 *   Yahoo! collects information about your transactions with us and with some of our business partners, including information about your use of financial products and services that we offer.
 *   Yahoo! automatically receives and records information on our server logs from your browser, including your IP address<http://info.yahoo.com/privacy/us/yahoo/ipaddress/details.html>, Yahoo! cookie<http://info.yahoo.com/privacy/us/yahoo/cookies/details.html> information, and the page you request.
 *   Yahoo! uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.
http://info.yahoo.com/privacy/us/yahoo/attyahoo/details.html

Is Yahoo involved with ATT Adworks? http://adworks.att.com/online-audience-network.html



Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org>
www.digitalads.org<http://www.digitalads.org>
202-986-2220

On Sep 21, 2012, at 2:40 PM, Shane Wiley wrote:


"AT&T and Yahoo! each maintain separate policies to describe how we treat your information."

Lauren,

That is the whole point of multi-first party - they don't interact and operate independently.

- Shane

From: Lauren Gelman [mailto:gelman@blurryedge.com]
Sent: Friday, September 21, 2012 11:31 AM
To: Jeffrey Chester
Cc: Vinay Goel; Rob Sherman; Chris Pedigo; Justin Brookman; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Multiple First Parties


This is a very interesting example!

If you click privacy you get links to both ATT and Yahoo's policies with no overt information about how they interact.

"In order to provide you with online access, personalized content, customized advertising and many other valuable services, AT&T and Yahoo! collect and use information about you. We at AT&T and Yahoo! are committed to maintaining high standards of data privacy. AT&T and Yahoo! each maintain separate policies to describe how we treat your information. Please take a moment to read our privacy policies."

In ATT's policy there is a section specifically referring to Yahoo:

Online Activity Tracking and Advertising

 *   We collect information about your activity on AT&T websites for a number of purposes using technologies such as cookies, Flash cookies, Web beacons, widgets and server log files.
 *   We and our non-AT&T advertising partners use that information, as well as other information they have or we may have, to help tailor the ads you see on our sites and to help make decisions about ads you see on other sites.
 *   Opt-out of ad matching by Yahoo!<http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html>.
 *   Opt-out of targeting advertising from many other ad networks<http://www.networkadvertising.org/>.
 *   Opt out of YP.com's targeted advertising program.<http://www.yellowpages.com/about/legal/advertisingchoices>


Lauren Gelman
BlurryEdge Strategies
415-627-8512

On Sep 21, 2012, at 9:37 AM, Jeffrey Chester wrote:



That is very interesting.   How would a user know the different data collection practices run by the parties, and its implications?  What does ATT.net<http://ATT.net/> do with the data versus Yahoo?  What is shared and used by both parties internally and operationalized?  Or shared with third parties, used by ad exchanges, etc.

This is a good example to fully flesh out the data practices on co-branded sites to understand what it means for privacy under the DNT frame.  I hope you and colleagues to build on this so we have a living example to consider.

Thanks,

Jeff


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org/>
www.digitalads.org<http://www.digitalads.org/>
202-986-2220

On Sep 21, 2012, at 12:26 PM, Vinay Goel wrote:



Hi Jeff,

Here's one example: http://att.yahoo.com<http://att.yahoo.com/>

-Vinay

From: Jeffrey Chester <jeff@democraticmedia.org<mailto:jeff@democraticmedia.org>>
Date: Friday, September 21, 2012 9:33 AM
To: Rob Sherman <robsherman@fb.com<mailto:robsherman@fb.com>>
Cc: Chris Pedigo <CPedigo@online-publishers.org<mailto:CPedigo@online-publishers.org>>, Justin Brookman <justin@cdt.org<mailto:justin@cdt.org>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Multiple First Parties
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Friday, September 21, 2012 9:34 AM

Rob:  Thanks for all this.  Can you give us a real world example of a co-run site?   What are the models we can examine to help us better understand the implications for users?

Regards,

Jeff


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org/>
www.digitalads.org<http://www.digitalads.org/>
202-986-2220

On Sep 21, 2012, at 3:01 AM, Rob Sherman wrote:



Thanks very much for all of this feedback.  As I understand it, the group
generally agrees that the party responsible for a website that a user
visits is a first party on that website.  Text in the existing draft
acknowledges that, in some circumstances, there may be more than one party
responsible.  The point of my proposal is to provide context around that
concept so that parties have some guidance in the spec about how to
determine whether they fall into this category.  Currently, we simply say
that it may sometimes happen and leave it at that.  The Example Sports on
Example Social example - which comes from Jonathan and Tom's text - is an
attempt to illustrate the point, and what I've tried to do is to elaborate
a bit on what it is about Example Sports and Example Social that make them
both first parties in that instance.

I agree with Mike that the meaningful interaction standard doesn't apply
here.  To be clear, we're talking about two distinct situations:  (1) a
basic third party, such as a "share" button, which is a third party but
becomes a first party when the user interacts with it; and (2) a single
website that is operated by two first parties operating together.  In that
second scenario, just as we agree that a user intends to interact with the
entity responsible for a website when he/she browses to that website, it
seems reasonable to draw the same conclusion when there are two entities
responsible.  This should not implicate Jeff's concern about giving
parties a "free pass" on DNT because, although I think branding is an
important way to ensure that consumers understand who is responsible for a
website, nobody is suggesting that putting a logo on a website, without
more, gives a party license to ignore DNT.

My goal here is simply to describe the concept of multiple first parties,
which has been in the draft for some time and is a concept that I think
most people in the TPWG understand, in a way that helps parties who have
not been a part of our discussions implement the spec in a way that is
consistent with what we envision.


Rob Sherman
Facebook | Manager, Privacy and Public Policy
1155 F Street, NW Suite 475 | Washington, DC 20004
office 202.370.5147 | mobile 202.257.3901





On 9/20/12 7:08 AM, "Chris Pedigo" <CPedigo@online-publishers.org<mailto:CPedigo@online-publishers.org>> wrote:



Rob, thanks for this clarifying language.  I believe it reflects the
group's previous decisions on first parties and provides some useful
guidance for implementers.

Justin, I don't see how this would be an expansion.  Can you clarify?

-----Original Message-----
From: Justin Brookman [mailto:justin@cdt.org]
Sent: Thursday, September 20, 2012 10:01 AM
To: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: Multiple First Parties

The existing language already allows for multiple first parties despite
no meaningful interaction.  Rob (Sherman) is arguing for an expansion.
I have previously argued against multiple first parties, but I do not
believe many agreed with me.  The Example Sports on Example Social is an
interesting example that may be consistent with Jonathan's original
formulation (he and Tom drafted the original language), though I still
think we need more to be clear that mere branding and disclosure are not
sufficient.

Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org<mailto:justin@cdt.org>
http://www.cdt.org<http://www.cdt.org/>
@CenDemTech
@JustinBrookman

On 9/20/2012 9:52 AM, Jeffrey Chester wrote:
I also agree that the meaningful interaction standard should apply.
Just because a site may have a syndicated presence on a first part page
shouldn't give it a free pass.  Sites could engage in co-branding to
wipe out DNT safeguards.



On Sep 20, 2012, at 9:24 AM, Mike Zaneis wrote:

Rob,

I don't think the meaningful interaction standard covers what is being
presented here. Meaningful interaction contemplates a user action after
they visit the site. What the examples Rob Sherman provides show is a
clear understanding by the user that there are multiple first parties
upon landing on a particular page (am I getting that right Rob
Sherman?).

I think this is a vitally important distinction for us to make since
the Internet is evolving to provide more examples of this dual
content/owner page. It just needs to be clear to the user that there
are multiple first parties and providing some factors of indicia in the
standard would be helpful.

Mike Zaneis
SVP & General Counsel, IAB
(202) 253-1466

On Sep 20, 2012, at 1:42 AM, "Rob van Eijk" <rob@blaeu.com<mailto:rob@blaeu.com>> wrote:

In these instances, a party will be deemed a first party on a
particular website if it concludes that a user would reasonably
expect to communicate with it using the website.
Hi Rob,

This would imply a change of the first party definition, which is
covered elsewhere in the document. Isn't your scenarion already
covered with the priniple of meaningful interaction?

tnks::Rob

Rob Sherman schreef op 2012-09-19 22:34:
*
  *
The editors' draft of the compliance spec raises a question about
how to define the circumstances in which more than one entity
operates as a first party on a particular website. As drafted, the
first option leaves more questions than answers because it says
that this may happen in some circumstances but does not provide any
concrete guidance on how a party can tell when it is a first party.

I've proposed text below that I hope leaves intact the basic intent
behind the existing text - including two examples that are already
there as options - but that elaborates a bit on the examples and
provides some non-normative guidance about factors that an entity
might consider in making a judgment whether it qualifies as a first
party. The thinking is that, although we can't - and should not try
to - anticipate the specifics every situation in which two entities
collaborate, it would be helpful to provide some guidance in the
text to people who are not in the Working Group and who may not
have the context for situations that this section envisions.

Feedback on this text would, of course, be appreciated.

Rob

# # #

3.5.1.2.2 MULTIPLE FIRST PARTIES

_<NORMATIVE>_

For many websites, there will be only one party that the average
user would expect to communicate with: the provider of the website
the user has visited. But, for other websites, users may expect to
communicate with more than one party. In these instances, a party
will be deemed a first party on a particular website if it
concludes that a user would reasonably expect to communicate with it
using the website.

_<NON-NORMATIVE>_

URIs, branding, the presence of privacy policies or other
disclosures that specifically identify a party, and the extent to
which a party provides meaningful content or functionality on the
website, may contribute to, but are not necessarily determinative
of, user perceptions about whether a website is provided by more
than one party.

_Example: _Example Sports, a well-known sports league, collaborates
with Example Streaming, a well-known streaming video website, to
provide content on a sports-themed video streaming website. The
website is prominently advertised and branded as being provided by
both Example Sports and ExampleStreaming. An ordinary user who
visits the website may recognize that it isoperated by both Example
Sports and Example Streaming. Both Example Sports and Example
Streaming are first parties.

_Example:_ Example Sports has a dedicated page on a Example Social,
a social networking website. The page is branded with both Example
Sports' name and logo and Example Social's name and logo. Both
Example Sports' name and Example Social's names appear in the URI
for the page. When a user visits this dedicated page, both Example
Sports and Example Social are first parties.

Rob Sherman

FACEBOOK | MANAGER, PRIVACY AND PUBLIC POLICY

1155 F Street, NW Suite 475 | Washington, DC 20004

office 202.370.5147 | mobile 202.257.3901
Received on Friday, 21 September 2012 19:52:01 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:34 UTC