W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sat, 7 Jan 2012 14:37:26 -0800
Cc: public-tracking@w3.org
Message-Id: <BF7FB0B9-8DAE-450A-85BB-EF2CC78DA5DB@stanford.edu>
To: Justin Brookman <justin@cdt.org>

On Jan 6, 2012, at 7:20 AM, Justin Brookman wrote:

> A couple thoughts:
> 
> On 1/5/2012 5:50 PM, Jonathan Mayer wrote:
>> 
>> 
>> On Jan 5, 2012, at 8:33 AM, Justin Brookman wrote:
>> 
>>> I would revise the definition of first party to "A first party is, in a specific network interaction, the operator of the domain with which the user intended to communicate."
>> 
>> On "the operator of the domain":
>> You're glossing over the (crucial) definition of "party."  What's an "operator of [a] domain"?  PS+1 corporate ownership/control?
> 
> I gloss over the definition of party because it's addressed elsewhere.  But you're right, I should have said, "A first party is, in a specific network interaction, the party that operates the domain . . ."

If I understand correctly, you are proposing two additional limits on first parties.  First, there can only be at most one first party per web page.  Second, if there is a first party for a web page, it can only be the party listed in the registration for the PS+1 in the browser's URL bar.  I have reservations about both of these limitations, but before going there, I want to make sure we're on the same page.

>> On "with which the user intended to communicate":
>> Tom and I drafted objective definitions that require a universal, straightforward, testable judgement about party divisions and party status.  Subjective standards are unworkable - we can't expect a website to understand each user's mental state.
> I don't see how "with which the user intended to communicate" is any more subjective than "that can infer with high probability that the user knowingly and intentionally communicated with it."  I'm not wedded to my language, but I think tying intent to the specific domain the user's trying to get to instead of the more vague concept of who the user is might be trying to "communicate with" on any given domain is more precise and will make implementation simpler.

I want to unpack two points here.

First, on subjectivity vs. objectivity: The text Tom and I drafted is objective.  It *does not* ask a website to understand each user's mental state.  Rather, it expects a website to have an understanding of how its audience, in the aggregate, expects to interact with it.  In almost all cases the answer is very straightforward.  The text you are proposing, on the other hand, is subjective.  It *does* ask a website to know what each user is thinking.  That's clearly unworkable, and I understand why it's a non-starter for many around the table.

Second, on your reliance on domains: I think it's unwise to turn our "first party" definition on what's in the URL bar.  Visible domain names - and URLs - are slowly going the way of the dinosaur.  Many browsers now feature a URL bar-free or URL bar-hidden mode, and mobile apps rarely show the user which websites they're communicating with.

>>> I would remove the entire section about multiple first parties as I do not believe a realistic example has been presented where that would ever be the case.  In the example of the craigslist/Google Maps mashup, whichever of the two is the actual operator of the domain should be the first party and the other would be the third party (or, if an entirely different entity operates the mashup, as appears to be the case at HousingMaps.com, the operator of HousingMaps is the first party and craigslist and Google are third parties if they're present at all).
>>> Third parties can still become first parties if their content is clearly branded and a user meaningfully interacts with the content.  Writing a spec for the extreme and unprecedented edge case facebookandmoviefonebothrunthisdomain.com will cause more uncertainty and invite abuse while not solving an actual problem.  Domains have one operator; until co-registration becomes an option, sticking with one first party makes sense.
>> 
>> Here's a different multiple first-party use case to motivate the issue: examplecompany.tumblr.com.  It's quite clear that both Example Company and Tumblr are providing content.
> Tumblr is the first party and Example is a third party.  I don't expect Example to track me on their Facebook page, their Tumblr, or if they post an ad in Craigslist that I visit.

I'm not sure that would be what most users expect.  Research would be helpful.  At any rate, we can agree that it's an edge case.

> In practice, I don't believe passive tracking on third-party platforms is common.

Some platforms (e.g. Facebook) limit custom HTML, CSS, and JavaScript, mooting the issue.  But some (e.g. Tumblr) tout their support for tracking content - see http://www.tumblr.com/docs/en/google_analytics.  We will have to address this.

> I would be willing to make exceptions for otherwise third parties that are proactively mashed up by the user (added to an aggregator), though I agree that the privacy implications are less concerning than the practical implementation (and the related who-the-hell-embedded-my-content question).
>>> I would also add .url shortener services as a specific example of a third party with which the user was not intending to communicate.
>> 
>> Tom and I left URL shortening services as an open ISSUE.  I support moving them into the common use cases discussion as, in general, third parties.
> This is more in response to Heather, but I can't think of a single URL shortener scenario that looks like a first-party interaction.  If I read this on Twitter: "Neat WSJ story on #privacy in the cloud: goo.gl/eT3d" and click on the link, I think the WSJ is the first party and Google is a third party.  I'm clearly not trying to interact with Google --- someone just used that service to get under 140 characters, and I could care less whether they used bit.ly, j.mp, t.co, c.dt or anything else.
> 
>>> Justin Brookman
>>> Director, Consumer Privacy Project
>>> Center for Democracy & Technology
>>> 1634 I Street NW, Suite 1100
>>> Washington, DC 20006
>>> tel 202.407.8812
>>> fax 202.637.0969
>>> justin@cdt.org
>>> http://www.cdt.org
>>> @CenDemTech
>>> @JustinBrookman
>>> 
>>> On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote:
>>>> 
>>>> Understood. I took my own notes, and we'll work from the minutes. If others would like to write up their proposed changes, that would be most helpful,
>>>> 
>>>> Jonathan
>>>> 
>>>> On Jan 4, 2012, at 3:46 PM, David Singer <singer@apple.com> wrote:
>>>> 
>>>>> To be clear, I only provide the edits I personally suggested;  I think all of us were asked to be precise about what we were suggesting, and I didn't do anyone else's suggestions.
>>>>> 
>>>>> On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote:
>>>>> 
>>>>>> Thanks for taking notes. Tom and I will revise the text to incorporate what we heard on today's call. Much of the focus was on the edge cases of mashups and inadvertantly embedded content - which strongly suggests to me that we're very close to consensus.
>>>>>> 
>>>>>> The two outstanding high-level concerns that I recall are:
>>>>>> 
>>>>>> 1) Are the standards we provide workable in practice? I believe close calls will be very rare, and only companies gaming the margin would have to consider surveying users. Heather was less sure. Heather, could you suggest a few common use cases that lead to a difficult analysis under the draft's standards?
>>>>>> 
>>>>>> 2) Shane suggested (and a few supported) moving to a user-is-able-to-discover-information standard for what's a party and what's a first or third party. Shane, could you briefly sketch what this standard might look like and give a few examples where it would work a different result from our user expectations standard?
>>>>>> 
>>>>>> Jonathan
>>>>>> 
>>>>>> On Jan 4, 2012, at 1:27 PM, David Singer <singer@apple.com> wrote:
>>>>>> 
>>>>>>> Here are my comments/suggestions, after this morning's call.
>>>>>>> 
>>>>>>> 1) section 2.1.  Make clear that the user is a party, or specifically say that the definition defines parties that may be 1st or 3rd.
>>>>>>>   also raise an issue for a clear definition of what falls into the 2nd party?? (e.g. software or other agents acting on the user's behalf??)
>>>>>>> 
>>>>>>> 2) section 2.1.  Consider adding the condition that two separate legal entities cannot be considered a single party (in our context).
>>>>>>> 
>>>>>>> 3) section 2.1.  Add an issue that we may want to strengthen the definition to the point where it is testable.
>>>>>>> 
>>>>>>> 4) section 4.1.  Make the definitions of what is a 1st party a list of conditions, all of which apply.
>>>>>>> 
>>>>>>> 5) section 4.1.  Add to the list of conditions:
>>>>>>>   a) the user must be directly aware of the existence and identity of a separate entity, prior to their interaction.
>>>>>>>   b) the user's makes an independent choice to communicate/interact with the entity.
>>>>>>> 
>>>>>>> Counter-examples to (a) are a weather or other widget with no obvious branding or other evidence to show it came from another organization or entity; the user is not aware of a separate identity behind it.
>>>>>>> Counter-examples to (b) are where sites are mash-ups of unpredictable sources; the user, by visiting the mash-up, chose only the mashing site as the first party; until the user interacts further, the mashed sites are third parties (and rule (a) applies as well - the user must be aware that they are mashed in, and not sourced by the mashing site).
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote:
>>>>>>> 
>>>>>>>> Tom and I have worked for several weeks on a comprehensive draft of the sections delineating first parties and third parties.  We attempted to reflect the approaching-consensus discussion at Santa Clara and on the email list.  Our draft includes both operative standards language and non-normative explanation and examples.  The text is formatted with the W3C template to better resemble how it would appear in the final document; please note that this is not an Editor's Draft (as the template might suggest).
>>>>>>>> 
>>>>>>>> Jonathan
>>>>>>>> 
>>>>>>>> <parties-draft-jm-tl.html>
>>>>>>>> 
>>>>>>> 
>>>>>>> David Singer
>>>>>>> Multimedia and Software Standards, Apple Inc.
>>>>>>> 
>>>>>> 
>>>>> 
>>>>> David Singer
>>>>> Multimedia and Software Standards, Apple Inc.
>>>>> 
>> 


Received on Saturday, 7 January 2012 22:40:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC