Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88) from Justin Brookman on 2012-01-05 (public-tracking@w3.org from January 2012)

From: Justin Brookman <justin@cdt.org>
Date: Thu, 05 Jan 2012 11:33:21 -0500
To: public-tracking@w3.org
Message-ID: <4F05D0D1.2010100@cdt.org>
I would revise the definition of first party to "A first party is, in a 
specific network interaction, the operator of the domain with which the 
user intended to communicate."  I would remove the entire section about 
multiple first parties as I do not believe a realistic example has been 
presented where that would ever be the case.  In the example of the 
craigslist/Google Maps mashup, whichever of the two is the actual 
operator of the domain should be the first party and the other would be 
the third party (or, if an entirely different entity operates the 
mashup, as appears to be the case at HousingMaps.com, the operator of 
HousingMaps is the first party and craigslist and Google are third 
parties if they're present at all).  Third parties can still become 
first parties if their content is clearly branded and a user 
meaningfully interacts with the content.  Writing a spec for the extreme 
and unprecedented edge case facebookandmoviefonebothrunthisdomain.com 
will cause more uncertainty and invite abuse while not solving an actual 
problem.  Domains have one operator; until co-registration becomes an 
option, sticking with one first party makes sense.

I like David's proposed counterexample to 4.1(a).  I believe my above 
suggestion should take the place of his counterexample to 4.1(b) (though 
both are designed to achieve the same goal).

On the call, we seemed to agree that it should be a necessary condition 
for an entity to be under common corporate control as the site operator 
in order to be a first party (or a third party who gets permission to 
track).  Thus, I would revise the definition of party to: "A 'party' is 
any person or commercial, nonprofit, or governmental organization, as 
well as any person or organization that operates under the same 
corporate or governmental control as the party and 
[discoverability/branding/user perception --- whatever test we use]."

I will again make the argument that branding seems the more reasonable 
and concrete test here, and will provide the most certainty for users 
and companies, but I await Shane's pitch for why discoverability is 
sufficiently clear to users (or Jonathan's counterpitch on why "user 
perception" is sufficiently workable).

I would also add .url shortener services as a specific example of a 
third party with which the user was not intending to communicate.

Justin Brookman
Director, Consumer Privacy Project
Center for Democracy&  Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
tel 202.407.8812
fax 202.637.0969
justin@cdt.org
http://www.cdt.org
@CenDemTech
@JustinBrookman


On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote:
> Understood. I took my own notes, and we'll work from the minutes. If 
> others would like to write up their proposed changes, that would be 
> most helpful,
>
> Jonathan
>
> On Jan 4, 2012, at 3:46 PM, David Singer <singer@apple.com 
> <mailto:singer@apple.com>> wrote:
>
>> To be clear, I only provide the edits I personally suggested;  I 
>> think all of us were asked to be precise about what we were 
>> suggesting, and I didn't do anyone else's suggestions.
>>
>> On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote:
>>
>>> Thanks for taking notes. Tom and I will revise the text to 
>>> incorporate what we heard on today's call. Much of the focus was on 
>>> the edge cases of mashups and inadvertantly embedded content - which 
>>> strongly suggests to me that we're very close to consensus.
>>>
>>> The two outstanding high-level concerns that I recall are:
>>>
>>> 1) Are the standards we provide workable in practice? I believe 
>>> close calls will be very rare, and only companies gaming the margin 
>>> would have to consider surveying users. Heather was less sure. 
>>> Heather, could you suggest a few common use cases that lead to a 
>>> difficult analysis under the draft's standards?
>>>
>>> 2) Shane suggested (and a few supported) moving to a 
>>> user-is-able-to-discover-information standard for what's a party and 
>>> what's a first or third party. Shane, could you briefly sketch what 
>>> this standard might look like and give a few examples where it would 
>>> work a different result from our user expectations standard?
>>>
>>> Jonathan
>>>
>>> On Jan 4, 2012, at 1:27 PM, David Singer <singer@apple.com 
>>> <mailto:singer@apple.com>> wrote:
>>>
>>>> Here are my comments/suggestions, after this morning's call.
>>>>
>>>> 1) section 2.1.  Make clear that the user is a party, or 
>>>> specifically say that the definition defines parties that may be 
>>>> 1st or 3rd.
>>>>   also raise an issue for a clear definition of what falls into the 
>>>> 2nd party?? (e.g. software or other agents acting on the user's 
>>>> behalf??)
>>>>
>>>> 2) section 2.1.  Consider adding the condition that two separate 
>>>> legal entities cannot be considered a single party (in our context).
>>>>
>>>> 3) section 2.1.  Add an issue that we may want to strengthen the 
>>>> definition to the point where it is testable.
>>>>
>>>> 4) section 4.1.  Make the definitions of what is a 1st party a list 
>>>> of conditions, all of which apply.
>>>>
>>>> 5) section 4.1.  Add to the list of conditions:
>>>>   a) the user must be directly aware of the existence and identity 
>>>> of a separate entity, prior to their interaction.
>>>>   b) the user's makes an independent choice to communicate/interact 
>>>> with the entity.
>>>>
>>>> Counter-examples to (a) are a weather or other widget with no 
>>>> obvious branding or other evidence to show it came from another 
>>>> organization or entity; the user is not aware of a separate 
>>>> identity behind it.
>>>> Counter-examples to (b) are where sites are mash-ups of 
>>>> unpredictable sources; the user, by visiting the mash-up, chose 
>>>> only the mashing site as the first party; until the user interacts 
>>>> further, the mashed sites are third parties (and rule (a) applies 
>>>> as well - the user must be aware that they are mashed in, and not 
>>>> sourced by the mashing site).
>>>>
>>>>
>>>>
>>>>
>>>> On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote:
>>>>
>>>>> Tom and I have worked for several weeks on a comprehensive draft 
>>>>> of the sections delineating first parties and third parties.  We 
>>>>> attempted to reflect the approaching-consensus discussion at Santa 
>>>>> Clara and on the email list.  Our draft includes both operative 
>>>>> standards language and non-normative explanation and examples. 
>>>>>  The text is formatted with the W3C template to better resemble 
>>>>> how it would appear in the final document; please note that this 
>>>>> is /not/ an Editor's Draft (as the template might suggest).
>>>>>
>>>>> Jonathan
>>>>>
>>>>> <parties-draft-jm-tl.html>
>>>>>
>>>>
>>>> David Singer
>>>> Multimedia and Software Standards, Apple Inc.
>>>>
>>
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>>
Received on Thursday, 5 January 2012 16:34:37 UTC