W3C home > Mailing lists > Public > public-tracking@w3.org > February 2013

Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?

From: Justin Brookman <justin@cdt.org>
Date: Wed, 27 Feb 2013 12:55:54 -0500
Message-ID: <512E48AA.4000003@cdt.org>
To: public-tracking@w3.org
On 2/27/2013 12:37 PM, Alexander Hanff wrote:
>
> I don't see why you find this so difficult to understand Justin -- it 
> doesn't matter a jot whether or not User A clicked on a Facebook Like 
> button for an article on NYT -- clicking on a "Like" button is not the 
> same as saying "OK Facebook, you can track that I have read this 
> article and use that data to add to my behavioural profile for 
> targeted ads" irrespective of whether or not the next site places 
> Facebook back into the "3^rd party" bucket.
>
> It really isn't difficult to grasp -- where is it specifically that 
> you don't understand the point?
>
I'm not sure where specifically I don't understand your point.

I think you're saying that if I click "like" for a particular article, 
then FB should be able to add that fact to Timeline/Newsfeed but 
shouldn't be able to add that fact to a behavioral profile.  If that's 
the case, then you're right the standard doesn't prevent that.  FB is a 
first-party in the communication of my liking the story to FB, so DNT 
doesn't apply. However, this has been agreed to within the group for 
over a year and is reflected in the other proposed definitions as well.  
This is not my sudden decision to subvert the working group.  If you 
think the working group is simply on the wrong track, that is your 
opinion, but I would appreciate your not misrepresenting this as a 
change in the group's opinion or a proposed substantive change in the text.
>
> Alexander Hanff
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* 27 February 2013 18:27
> *To:* public-tracking@w3.org
> *Subject:* Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
>     Let me spell this out, since you seem to not understand.
>
>     If a person clicks on a Like button, or Tweet button or uses a
>     "Search this site with Google" widget or any other 3^rd party
>     widget, that does not mean they consent to being tracked.  Their
>     purpose in using the widget is to do what one logically assumes
>     the widget is for, "Like", "Tweet" or "Search" -- so frankly your
>     defence that these only become first party if a user interacts is
>     completely irrelevant.
>
> Thank you for spelling things out, but I still may not understand 
> you.  Clicking a Like button once does not mean persistent consent to 
> track.  It means /in that specific network interaction/, DNT does not 
> apply to FB because the user intended to communicate with FB.  So if I 
> click "like" on a NYT story, FB learns that I assert to like that 
> story.  That's it.  The next page I go to with a like button, FB is 
> back to being a third party again.  Does that make sense?
>
> You are forcing consent on users based on a completely fabricated premise.
>
> Alexander Hanff
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* 27 February 2013 18:10
> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
> *Subject:* Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
> On 2/27/2013 11:48 AM, Alexander Hanff wrote:
>
>     The issue in question is not whether or not people will be aware
>     that by clicking on a Like button it will post something to their
>     timeline -- that is not the purpose of Do Not Track.  The issue in
>     question is whether or not someone accepts or consents to Facebook
>     tracking their online behaviour if they click on a like button and
>     do so across all web sites where those buttons exists --
>     furthermore, just clicking on the button is not an accurate
>     description of how this tracking works.
>
>     My understanding is that if a user is currently logged in to
>     Facebook or has any Facebook cookies on their machine, merely
>     loading a page with the "Like" button script embedded is enough
>     for Facebook to be able to track that user across sites with the
>     widget.
>
> For the sole purpose of deterring you from spreading further 
> misinformation about me and this working group, I will point out that 
> the standard does not define widgets with which a user does *not* 
> interact as first parties.  So if there's a Tweet button on a NYTimes 
> page that I do *not* click, Twitter is not a first party in that 
> interaction.  This has been agreed within the group for months and is 
> obvious from the plain language of the text.  Again, as with the 
> discussion of deidentification, I would appreciate some modicum of 
> effort on your part to understand this group's work before flinging 
> around ungrounded insults and misplaced anger.
>
>
> *From:*Justin Brookman [mailto:justin@cdt.org]
> *Sent:* 27 February 2013 17:34
> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
> *Subject:* Re: ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
> There is no consensus definition of "first party" --- there are three 
> separate ones in the text.  I believe they all say much the same thing 
> and I was merely trying to merge them. :)
>
> I believe the group is at consensus that if someone clicks a "Like" 
> button, then it is reasonable to expect that Facebook is going to 
> receive information that falls outside the scope of Do Not Track 
> (namely, that the user 'likes' some particular page or pbject, and now 
> FB can display that in Newsfeed and Timeline consistent with the 
> user's privacy settings).  If anyone in the working group disagrees 
> with that, feel free to speak up.  Alexander, if you want to comb 
> through the mailing list to see our previous exhaustive discussions on 
> this, you may find them informative.  Or you may not, I don't know.
>
> However, you do, obliquely, get to a relevant point --- that perhaps 
> the definition should include be revised to say "clearly branded" 
> before "embedded widget" in order to make sure that the user knows 
> what she's clicking on.  I believe the group had discussed something 
> similar previously.  I would be fine with a discussion on what 
> constitutes clear branding (I would say things like the Like, Tweet, 
> and +1 buttons qualify) in an appendix.
>
>
>
>
> Justin Brookman
> Director, Consumer Privacy
> Center for Democracy & Technology
> tel 202.407.8812
> justin@cdt.org  <mailto:justin@cdt.org>
> http://www.cdt.org
> @JustinBrookman
> @CenDemTech
>
> On 2/27/2013 11:01 AM, Alexander Hanff wrote:
>
>     Why is the group second guessing what consumers think?  The
>     definition of first party already exists, there is no need to
>     redefine it in a light which makes it easier for exceptions to be
>     made for tracking widgets.
>
>     Many users will not be remotely aware that a "Like" button is
>     actually hosted by Facebook, they would assume it is hosted on the
>     domain they are visiting.  To assume otherwise is absurd and
>     further weakens the validity of this DNT process.
>
>     Alexander Hanff
>
>     *From:*Justin Brookman [mailto:justin@cdt.org]
>     *Sent:* 27 February 2013 16:52
>     *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>
>     *Subject:* ISSUE-10 First party definition, ISSUE-60, ACTION-?
>
>     Peter asked me to try to combine the three definitions of "first
>     party" in the current text in consultation with Heather.  The
>     existing definitions are all very close, and I don't think there
>     are major substantive disagreements here.  Anyway, here is my best
>     effort (Heather provided feedback, but she's not around this
>     morning, so I don't know if she blesses this):
>
>     *In a specific network interaction, if a party can reasonably
>     conclude with high probability that the user intends to
>     communicate with it, that party is a <dfn>first party</dfn>.  In
>     most cases on a traditional web browser, the first party will be
>     the party that owns and operates the domain visible in the address
>     bar.  A first party also includes a party that owns and operates
>     an embedded widget, search box, or similar service with which a
>     user intentionally interacts.  If a user merely mouses over,
>     closes, or mutes such content, that is not sufficient interaction
>     to render the party a first party.*
>
>     Rob Sherman is separately working on text regarding multiple first
>     parties.
>
>     Chris Pedigo and Vinay Goel are separately working on text
>     regarding data processors that stand in the shoes of their
>     controllers, party-wise.
>
>     -- 
>
>     Justin Brookman
>
>     Director, Consumer Privacy
>
>     Center for Democracy & Technology
>
>     tel 202.407.8812
>
>     justin@cdt.org  <mailto:justin@cdt.org>
>
>     http://www.cdt.org
>
>     @JustinBrookman
>
>     @CenDemTech
>
Received on Wednesday, 27 February 2013 17:56:23 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:04 UTC