- From: Jeffrey Chester <jeff@democraticmedia.org>
- Date: Fri, 06 Jan 2012 10:32:01 -0500
- To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-id: <9612F280-163F-4B6E-9515-357B8A064E39@democraticmedia.org>
User expectations is a reasonable standard and the fairest to users (and I also think management). Such an approach places the responsibility on the managers of the site; they should be able to reasonably know whether a user can readily understand the data practices of the site. Corporate ownership is inadequate, because sites are designed with different interests in mind, even if commonly owned. For example, there isn't a standard landing page optimization design for such sites (note even on Flicker homepage the reduced typeface of Yahoo and its near absence at the rarely scrolled to privacy section at bottom; also the more prominent mention of both Google & Facebook. This is an example of how confusing it may be to users). I also believe the proposal on third party widgets, with weather used as an example, reflects the user expectation paradigm as well. Jeffrey Chester Center for Digital Democracy 1621 Connecticut Ave, NW, Suite 550 Washington, DC 20009 www.democraticmedia.org www.digitalads.org 202-986-2220 Jeffrey Chester Center for Digital Democracy 1621 Connecticut Ave, NW, Suite 550 Washington, DC 20009 www.democraticmedia.org www.digitalads.org 202-986-2220 On Jan 6, 2012, at 10:20 AM, Justin Brookman wrote: > A couple thoughts: > > On 1/5/2012 5:50 PM, Jonathan Mayer wrote: >> >> >> On Jan 5, 2012, at 8:33 AM, Justin Brookman wrote: >> >>> I would revise the definition of first party to "A first party is, in a specific network interaction, the operator of the domain with which the user intended to communicate." >> >> On "the operator of the domain": >> You're glossing over the (crucial) definition of "party." What's an "operator of [a] domain"? PS+1 corporate ownership/control? > > I gloss over the definition of party because it's addressed elsewhere. But you're right, I should have said, "A first party is, in a specific network interaction, the party that operates the domain . . ." > >> On "with which the user intended to communicate": >> Tom and I drafted objective definitions that require a universal, straightforward, testable judgement about party divisions and party status. Subjective standards are unworkable - we can't expect a website to understand each user's mental state. > I don't see how "with which the user intended to communicate" is any more subjective than "that can infer with high probability that the user knowingly and intentionally communicated with it." I'm not wedded to my language, but I think tying intent to the specific domain the user's trying to get to instead of the more vague concept of who the user is might be trying to "communicate with" on any given domain is more precise and will make implementation simpler. > >>> I would remove the entire section about multiple first parties as I do not believe a realistic example has been presented where that would ever be the case. In the example of the craigslist/Google Maps mashup, whichever of the two is the actual operator of the domain should be the first party and the other would be the third party (or, if an entirely different entity operates the mashup, as appears to be the case at HousingMaps.com, the operator of HousingMaps is the first party and craigslist and Google are third parties if they're present at all). >>> Third parties can still become first parties if their content is clearly branded and a user meaningfully interacts with the content. Writing a spec for the extreme and unprecedented edge case facebookandmoviefonebothrunthisdomain.com will cause more uncertainty and invite abuse while not solving an actual problem. Domains have one operator; until co-registration becomes an option, sticking with one first party makes sense. >> >> Here's a different multiple first-party use case to motivate the issue: examplecompany.tumblr.com. It's quite clear that both Example Company and Tumblr are providing content. > Tumblr is the first party and Example is a third party. I don't expect Example to track me on their Facebook page, their Tumblr, or if they post an ad in Craigslist that I visit. In practice, I don't believe passive tracking on third-party platforms is common. I would be willing to make exceptions for otherwise third parties that are proactively mashed up by the user (added to an aggregator), though I agree that the privacy implications are less concerning than the practical implementation (and the related who-the-hell-embedded-my-content question). >>> I would also add .url shortener services as a specific example of a third party with which the user was not intending to communicate. >> >> Tom and I left URL shortening services as an open ISSUE. I support moving them into the common use cases discussion as, in general, third parties. > This is more in response to Heather, but I can't think of a single URL shortener scenario that looks like a first-party interaction. If I read this on Twitter: "Neat WSJ story on #privacy in the cloud: goo.gl/eT3d" and click on the link, I think the WSJ is the first party and Google is a third party. I'm clearly not trying to interact with Google --- someone just used that service to get under 140 characters, and I could care less whether they used bit.ly, j.mp, t.co, c.dt or anything else. > >>> Justin Brookman >>> Director, Consumer Privacy Project >>> Center for Democracy & Technology >>> 1634 I Street NW, Suite 1100 >>> Washington, DC 20006 >>> tel 202.407.8812 >>> fax 202.637.0969 >>> justin@cdt.org >>> http://www.cdt.org >>> @CenDemTech >>> @JustinBrookman >>> >>> On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote: >>>> >>>> Understood. I took my own notes, and we'll work from the minutes. If others would like to write up their proposed changes, that would be most helpful, >>>> >>>> Jonathan >>>> >>>> On Jan 4, 2012, at 3:46 PM, David Singer <singer@apple.com> wrote: >>>> >>>>> To be clear, I only provide the edits I personally suggested; I think all of us were asked to be precise about what we were suggesting, and I didn't do anyone else's suggestions. >>>>> >>>>> On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote: >>>>> >>>>>> Thanks for taking notes. Tom and I will revise the text to incorporate what we heard on today's call. Much of the focus was on the edge cases of mashups and inadvertantly embedded content - which strongly suggests to me that we're very close to consensus. >>>>>> >>>>>> The two outstanding high-level concerns that I recall are: >>>>>> >>>>>> 1) Are the standards we provide workable in practice? I believe close calls will be very rare, and only companies gaming the margin would have to consider surveying users. Heather was less sure. Heather, could you suggest a few common use cases that lead to a difficult analysis under the draft's standards? >>>>>> >>>>>> 2) Shane suggested (and a few supported) moving to a user-is-able-to-discover-information standard for what's a party and what's a first or third party. Shane, could you briefly sketch what this standard might look like and give a few examples where it would work a different result from our user expectations standard? >>>>>> >>>>>> Jonathan >>>>>> >>>>>> On Jan 4, 2012, at 1:27 PM, David Singer <singer@apple.com> wrote: >>>>>> >>>>>>> Here are my comments/suggestions, after this morning's call. >>>>>>> >>>>>>> 1) section 2.1. Make clear that the user is a party, or specifically say that the definition defines parties that may be 1st or 3rd. >>>>>>> also raise an issue for a clear definition of what falls into the 2nd party?? (e.g. software or other agents acting on the user's behalf??) >>>>>>> >>>>>>> 2) section 2.1. Consider adding the condition that two separate legal entities cannot be considered a single party (in our context). >>>>>>> >>>>>>> 3) section 2.1. Add an issue that we may want to strengthen the definition to the point where it is testable. >>>>>>> >>>>>>> 4) section 4.1. Make the definitions of what is a 1st party a list of conditions, all of which apply. >>>>>>> >>>>>>> 5) section 4.1. Add to the list of conditions: >>>>>>> a) the user must be directly aware of the existence and identity of a separate entity, prior to their interaction. >>>>>>> b) the user's makes an independent choice to communicate/interact with the entity. >>>>>>> >>>>>>> Counter-examples to (a) are a weather or other widget with no obvious branding or other evidence to show it came from another organization or entity; the user is not aware of a separate identity behind it. >>>>>>> Counter-examples to (b) are where sites are mash-ups of unpredictable sources; the user, by visiting the mash-up, chose only the mashing site as the first party; until the user interacts further, the mashed sites are third parties (and rule (a) applies as well - the user must be aware that they are mashed in, and not sourced by the mashing site). >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote: >>>>>>> >>>>>>>> Tom and I have worked for several weeks on a comprehensive draft of the sections delineating first parties and third parties. We attempted to reflect the approaching-consensus discussion at Santa Clara and on the email list. Our draft includes both operative standards language and non-normative explanation and examples. The text is formatted with the W3C template to better resemble how it would appear in the final document; please note that this is not an Editor's Draft (as the template might suggest). >>>>>>>> >>>>>>>> Jonathan >>>>>>>> >>>>>>>> <parties-draft-jm-tl.html> >>>>>>>> >>>>>>> >>>>>>> David Singer >>>>>>> Multimedia and Software Standards, Apple Inc. >>>>>>> >>>>>> >>>>> >>>>> David Singer >>>>> Multimedia and Software Standards, Apple Inc. >>>>> >>
Received on Friday, 6 January 2012 15:32:38 UTC