Re: June Change proposal: definition of first party (Issue-10)

Hi Lee,

I've moved ISSUE-10 to the Compliance June product; I believe that existing issue closely tracks the topic of this change. That issue is currently open, although I think we intended to move it to Pending Review Stable (post an action for additional review from Jeff Chester), to reflect the apparent stability around "intentional interaction".

I've set up a wiki page for this proposal: http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Party_Definitions
The wiki page also has the text from the editors' draft, for comparison.

I've chosen a generic title to cover the three definitions you propose (on party, first party and third party), but it may be that your concern is particularly around the first party definition. In particular, "Otherwise, a party is a third party" seems to fairly closely match the editors' draft "A third party is any party other than a first party, service provider, or the user." 

Finally, is your intention in proposing to remove the details of affiliate requirements and easy discoverability a suggestion that we should not allow affiliates to qualify as the same party or a proposal that we simply not detail the requirements around affiliates?

Thanks,
Nick

On Jun 25, 2013, at 7:03 PM, Lee Tien <tien@eff.org> wrote:

> This proposed language is directly from the EFF/Stanford/Mozilla proposal:
> 
> "A first party is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party.
> 
> A third party is any party, in a specific network interaction, that cannot infer with high probability that the user knowingly and intentionally communicated with it."
> 
> * * *
> 
> As a corollary, I question whether the definition of party remains consensus.  
> 
> "A party is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. For unique corporate entities to qualify as a common party with respect to this document, those entities must be commonly owned and commonly controlled and must provide easy discoverability of affiliate organizations. An list of affiliates must be provided within one click from each page or the entity owner clearly identified within one click from each page."
> 
> I propose we keep only the first sentence.  
> 
> "A party is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person."
> 
> This BTW links up with the language on multiple first parties:
> 
> 3.5.1 Multiple First Parties
> 
> In most network interactions, there will be only one first party with which the user intends to interact. However, in some cases, a network resource will be jointly operated by two or more parties, and a user would reasonably expect to communicate with all of them by accessing that resource. User understanding that multiple parties operate a particular resource could be accomplished through inclusion of multiple parties' brands in a domain name, or prominent branding on the resource indicating that multiple parties are responsible for content or functionality on the resource with which a user reasonably would expect to interact by accessing the resource. Simple branding of a party, without more, will not be sufficient to make that party a first party in any particular network interaction.
> 
> Comment:  Speaking only for myself, I was uncomfortable with the inclusion of affiliates within the party definition, but could have accepted it as part of our compromise proposal (which sad to say didn't get traction).  The text on multiple first parties is even more expansive, but might be tolerable if party and first party are appropriately scoped per the above.  
> 
> -- 
> Lee Tien
> Senior Staff Attorney
> Electronic Frontier Foundation
> 815 Eddy Street
> San Francisco, CA 94109
> (415) 436-9333 x 102 (tel)
> (415) 436-9993 (fax)
> tien@eff.org

Received on Wednesday, 26 June 2013 06:55:55 UTC