W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Sat, 7 Jan 2012 15:49:04 -0800
Cc: Jeffrey Chester <jeff@democraticmedia.org>, "Amy Colando (LCA)" <acolando@microsoft.com>, Heather West <heatherwest@google.com>, Justin Brookman <justin@cdt.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <4775DB7C-057A-4297-8D94-1F539AF66F82@stanford.edu>
To: Shane Wiley <wileys@yahoo-inc.com>

On Jan 6, 2012, at 8:24 AM, Shane Wiley wrote:

> The difficulty with attempting to apply a “user expectation” standard is that every user has a personal, individual expectation

Yes.  That's why we're *not* calling for a subjective user expectations test.

> – driving by their own experiences, education, culture, and other factors.

We're not asking what users think about morality, politics, policy, or any other clearly divisive topic.  We're asking about whom users expect to interact with on the web.  The answer will vary, to be sure, but I'm very skeptical that will matter much in aggregate.

> Even as we attempt to aggregate “user expectations” to an “ordinary user” this too changes by market, demographic, etc.

We're asking a website to aggregate across its user base.  That's not market- or demographic-specific.

> – AND – will change over time.  2012’s average, ordinary, younger US web user will have a different set of expectations than that same user in 2017 – just 5 years from now.

Again, recall that we're asking about user expectations about parties on the web.  If you were to design Do Not Track a decade ago, I don't think the relevant user expectations would have been much different.  In fact, advocates and industry were engaged in much the same back and forth about first parties and third parties.  I don't see much reason to believe user expectations will shift much in the near future, especially in light of a growing body of research suggesting that, contrary to popular misconception, children are quite sensitive to privacy issues.

At any rate, to the extent our text would reflect slow changes in user expectations, I agree with John Simpson that that's a benefit.  Our standard has to account for new website designs, new web technologies, mergers and acquisitions, and many other eventualities.  While I'm sure the standard will be revisited from time to time, if we don't make efforts to future-proof the text, it'll be outmoded not long after we publish it.

> I believe we should take a step back to look at the original problem we’re attempting to solve for and take a more descriptive approach (vs. philosophically subjective one) to address where exceptions should be applied.

We've tried the high-level approach before (see all the emails on ISSUE-5).  It's not productive.

> The main target for DNT is 3rd party ad networks and data aggregators – those collecting data across non-commonly branded or affiliated sites. I don’t believe the true intention here was to go after companies that operate multiple brands (grocery stores, pharmaceutical companies, media, etc.).  While we can each argue different points of view on the “expectation” of users in these scenarios, I suggest we go back to original goal of setting true 3rd parties apart from “commonly operated sites”.

I don't believe I'm alone in rejecting this view.  There is neither a specific industry nor a specific business practice that is the "main target."  Some industries and some business practices consistently raise greater privacy concerns than others - but those industries and business practices may well change.  (The Facebook Like button, for example, is less than two years old.)

> There will be no ad network or DSP that will be able to claim it is a first party on any website other than its own (which consumers rarely visit).  And no true content provider is going to risk brand displacement or erosion by allowing any of those parties to co-brand on their properties.

Are you advocating a branding test, then?  I don't follow.

> So rather than continue this run into an endless black hole, I would suggest we define 1st parties as Justin had put forth:  “A first party is, in a specific network interaction, the party that operates the domain…”.

Justin's revised proposal was: "A first party is, in a specific network interaction, the party that operates the domain with which the user intended to communicate."  That's a subjective user expectations test.  To be clear - you would support that?

> We can go further to suggest parties MUST/SHOULD make their brand available at a minimum of 1 click away through a common link and with unavoidable prominence (Privacy, About Our Ads, etc.).  This would cover both Flickr (which I’ll continue to defend as obviously a Yahoo! branded product) and Disney which has bold, prominent branding in their privacy policy.  It would at the same time force those 1st parties that don’t make this information easy to find today change their approach to do so (in order to state they are DNT compliant).

If I read correctly, you're proposing a (lax) user discoverability test.  I'm now thoroughly confused - are you advocating for a set of bright-line rules, a branding test, a subjective user expectations test, or a user discoverability test?

> Attempting to ask the entire world to alter branding strategies to accommodate DNT is most likely a non-starter and has significant impact in both offline and online scenarios (rebranding, legal/contract implications, signage, back-end programming, etc.).
>  
> - Shane
>  
> From: Jeffrey Chester [mailto:jeff@democraticmedia.org] 
> Sent: Friday, January 06, 2012 7:37 AM
> To: Amy Colando (LCA)
> Cc: Jonathan Mayer; Heather West; Justin Brookman; public-tracking@w3.org
> Subject: Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)
>  
> User expectations is a reasonable standard and the fairest to users (and I also think management).  Such an approach places the responsibility on the managers of the site; they should be able to reasonably know whether a user can readily understand the data practices of the site.  Corporate ownership is inadequate, because sites are designed with different interests in mind, even if commonly owned.  For example, there isn't a standard landing page optimization design for such sites (note even on Flicker homepage the reduced typeface of Yahoo and its near absence at the rarely scrolled to privacy section at bottom; also the more prominent mention of both Google & Facebook.  This is an example of how confusing it may be to users).  
>  
> I also believe the proposal on third party widgets, with weather used as an example, reflects the user expectation paradigm as well.
>  
>  
>  
>  
>  
> Jeffrey Chester
> Center for Digital Democracy
> 1621 Connecticut Ave, NW, Suite 550
> Washington, DC 20009
> www.democraticmedia.org
> www.digitalads.org
> 202-986-2220
>  
> On Jan 5, 2012, at 9:19 PM, Amy Colando (LCA) wrote:
> 
> 
> Not wishing to get in the way of Heather’s reply, but I do want to identify one statement in Jonathans’ response:
>  
> I do not believe that there was a near-consensus against corporate ownership as playing a part in the definitions, whether in Santa Clara or elsewhere (unless this happened on a call I missed).  I heard clear concerns raised about vague affiliate relationships, rather than agreement to discard the notion of direct corporate ownership altogether. Indeed, ownership could be quite useful in enforcement contexts.
>  
> Thanks,
>  
> Amy
>  
> From: Jonathan Mayer [mailto:jmayer@stanford.edu] 
> Sent: Thursday, January 05, 2012 5:38 PM
> To: Heather West
> Cc: Justin Brookman; public-tracking@w3.org
> Subject: Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)
>  
>  
> On Jan 5, 2012, at 2:39 PM, Heather West wrote:
> 
> 
> 
> From our perspective, we have a several issues with this latest draft as it stands, and no, we don't think it's workable - we need to make sure, as a group, that the language is clear and implementable if we hope to see any adoption of the standard. The current draft allows for enough vagueness that evolving and contradictory interpretations would be possible across multiple regulatory environments. 
> 
> 
>  
> Which parts of the text do you find vague?  We attempted to draft it quite tightly.
> 
> 
> 
> The initial version of this issue language was short and easy to understand, and I think that's one of the reasons that we all liked it conceptually.This is long, hard to understand and open to multiple interpretations.
>  
> There are only six sentences of operative text in the draft.  Here they are, broken out:
>  
> A "party" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person, that an ordinary user would perceive to be a discrete entity for purposes of information collection and sharing. Domain names, branding, and corporate ownership may contribute to, but are not necessarily determinative of, user perceptions of whether two parties are distinct.
>  
> A "network interaction" is an HTTP request and response, or any other set of logically related network traffic.
>  
> A "first party" is any party, in a specific network interaction, that can infer with high probability that the user knowingly and intentionally communicated with it. Otherwise, a party is a third party.
>  
> A "third party" is any party, in a specific network interaction, that cannot infer with high probability that the user knowingly and intentionally communicated with it.
>  
> I'm really having difficulty seeing what's "long," "hard to understand," or "open to multiple interpretations."  Especially relative to most other proposals that have been made, including the online advertising industry self-regulatory principles.
> 
> 
> 
> It also draws in many other active issues (definitional and otherwise)
>  
> I don't follow.  Tom and I addressed the ISSUEs we were tasked with covering - no more.
> 
> 
> 
> and takes them in directions other than the one that our original discussions indicated.
> 
> 
>  
> Also don't follow.  This seemed to us a straightforward implementation of the "user expectations" test.
> 
> 
> 
> An objective standard with respect to what a first party is critical, because companies and individuals who adopt this standard publicly are rightly expected by both the general public and regulators to do what they say. But the potential for evolving and variant interpretations of user perception and common branding make it unclear what is being signed up for exactly. I think we need a first party definition that is based on ownership (and being adequately clear in disclosing that ownership, whether in a privacy policy or in branding/logo/etc). This is an objective standard that allows websites to clearly understand what they are signing up for when they adopt DNT.
>  
> My understanding from Santa Clara and after was that there was a near-consensus against a corporate ownership/control/affiliation test.  Tom and I articulated some of the reasons in our draft.  There's further discussion in the email threads ""Proposed First Party definition" and "Summary of First Party vs. Third Party Tests."
> 
> 
> 
> User perception is useful to think about and certainly should impact the way that we approach the spec, but it's unworkable to ask companies, developers, and hobbyists to work based on a spec that is this subjective. Does this mean that a website consisting solely of python coding resources is evaluated on a different standard than a porn site, simply because their 'average user' is different?
>  
> We drafted the text for a site-by-site user audience.  The standard could instead specify the Internet as a whole, a specific geography (e.g. the country where the site is located), or any other subdivision.
>  
> But I don't think the distinction matters in practice.  The overwhelming majority of use cases remain very clear.  It doesn't matter whether you're StackOverflow or Playboy - users don't expect to share data with wholly independent advertising, analytics, and social services.
> 
> 
> 
> And do we have any kind of indication that users do or don't understand the things we’re talking about? Perception and intention are vague and subjective. 
> 
> 
>  
> There have been quite a few academic and industry studies of what users understand about third-party web services.  Aleecia and others who have done this research - mind sharing a brief overview?
> 
> 
> 
> I’m also a bit worried that the requirement for prominent branding for diverse companies - think news websites -- might be required to co-brand themselves with all the other news sites in the network - increasing consumer confusion. When you’re on Flickr it may be clear to the user that Yahoo uses data from Flickr as a first party, but when you’re on Yahoo, do you need to prominently co-brand the site as Flickr too? And what if you also brand the site with a third party logo? Do they become first parties? 
> 
> 
>  
> These are among the reasons I do not favor a branding test.
> 
> 
> 
> An additional use case that illustrates the compleities involved is URL shorteners, assume that the user clicked on the shortened link. Why don't they expect that they are interacting with that party, ie the link shortener? What about the goo.gl link shortener - is that branded in such a way that they know they are interacting with Google, even though that’s not where they end up? How exactly do you assume that bit.ly users don’t interact with bit.ly? There are several scenarios here - the user does or doesn’t see the URL, the user clicks on a link that is directed to the shortened URL which either does or doesn’t indicate that it’s a shortened link (but is likely to indicate the final destination of the shortened link). These either need to be fleshed out or we need to decide how to deal with shorteners as first parties.
> 
> 
>  
> Tom and I did not address URL shorteners in our draft.  ("ISSUE-97: A special rule for URL-shortening services remains an open issue and is not addressed in this proposal.")  I would support Justin's proposal for noting that a URL shortener is, in general, a third party.  If that's a point of controversy, then let's keep the separate ISSUE and hold it for later.
> 
> 
> 
> How would a restriction on URL shorteners as redirection impact sites (often news sites) that redirect a human-readable URL (newssite.com/that-thing-happened/) to a machine readable URL (newssite.com/423dfsgs59/ from a legacy CMS?
> 
> 
>  
> I don't understand this example.  For both URLS, News Site would be a first party.
> 
> 
> 
> Finally, on the topic of mash-ups, I think the mashup idea needs to be fleshed out and accounted for, simply because the incorporation of content on websites is common and useful. Even if it makes up a small percentage of web traffic today, this is an area of innovation that will probably increase greatly over time.
>  
> While I'm skeptical that mashups will become much more common, I completely agree that we should address them.  Like URL shorteners, if they're a point of controversy, let's mark an ISSUE and hold it until we settle the far more frequent use cases.
> 
> 
> 
> If Google, for example, wants to be DNT compliant, we need to account for this in the context of Google Reader.
>  
> Could you explain what you mean?  If a user visits Google Reader, it's a first party.  Under the proposals that have been advanced, Google would not be responsible for third-party RSS content (and whatever's embedded in it).
> 
> 
> 
> And the many blogs I read are (many of whom have analytics and/or share buttons) by and large going to assume that they are first party, without concerning themselves with whether or not their content is being consumed via an aggregator. Figuring out where aggregators fit into this is key, and we should either say that a content feed that is proactively added by the user with the understanding that it will appear on the first party site (like Reader) is first party content, or that the first party is not responsible for the content of the page.
>  
> I see two analytical approaches to news aggregators: 1) treat them as a possible multiple first party scenario, or 2) consider them a species of the "what the hell, someone went and embedded all my content" problem discussed on yesterday's call.
>  
> Whatever the analytical approach, and whatever the result, I'm not particularly concerned about the privacy implications.  At most a news site and its embedded content learn one additional fact about a user - that they use a news aggregator.
>  
> I'd propose that, like for URL shorteners and mashups, we take the group's temperature on how to treat news aggregators.  If there's not consensus, let's create a new ISSUE and reserve it for later.  We shouldn't delay consensus on the major issues over a few edge cases.
> 
> 
> 
> Heather (and Sean)
>  
> On Thu, Jan 5, 2012 at 11:33 AM, Justin Brookman <justin@cdt.org> wrote:
> I would revise the definition of first party to "A first party is, in a specific network interaction, the operator of the domain with which the user intended to communicate."  I would remove the entire section about multiple first parties as I do not believe a realistic example has been presented where that would ever be the case.  In the example of the craigslist/Google Maps mashup, whichever of the two is the actual operator of the domain should be the first party and the other would be the third party (or, if an entirely different entity operates the mashup, as appears to be the case at HousingMaps.com, the operator of HousingMaps is the first party and craigslist and Google are third parties if they're present at all).  Third parties can still become first parties if their content is clearly branded and a user meaningfully interacts with the content.  Writing a spec for the extreme and unprecedented edge case facebookandmoviefonebothrunthisdomain.com will cause more uncertainty and invite abuse while not solving an actual problem.  Domains have one operator; until co-registration becomes an option, sticking with one first party makes sense.
> 
> I like David's proposed counterexample to 4.1(a).  I believe my above suggestion should take the place of his counterexample to 4.1(b) (though both are designed to achieve the same goal).
> 
> On the call, we seemed to agree that it should be a necessary condition for an entity to be under common corporate control as the site operator in order to be a first party (or a third party who gets permission to track).  Thus, I would revise the definition of party to: "A 'party' is any person or commercial, nonprofit, or governmental organization, as well as any person or organization that operates under the same corporate or governmental control as the party and [discoverability/branding/user perception --- whatever test we use]."
> 
> I will again make the argument that branding seems the more reasonable and concrete test here, and will provide the most certainty for users and companies, but I await Shane's pitch for why discoverability is sufficiently clear to users (or Jonathan's counterpitch on why "user perception" is sufficiently workable).
> 
> I would also add .url shortener services as a specific example of a third party with which the user was not intending to communicate.
> 
> 
> Justin Brookman
> Director, Consumer Privacy Project
> Center for Democracy & Technology
> 1634 I Street NW, Suite 1100
> Washington, DC 20006
> tel 202.407.8812
> fax 202.637.0969
> justin@cdt.org
> http://www.cdt.org
> @CenDemTech
> @JustinBrookman
> 
> On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote:
> Understood. I took my own notes, and we'll work from the minutes. If others would like to write up their proposed changes, that would be most helpful,
>  
> Jonathan
> 
> On Jan 4, 2012, at 3:46 PM, David Singer <singer@apple.com> wrote:
> 
> To be clear, I only provide the edits I personally suggested;  I think all of us were asked to be precise about what we were suggesting, and I didn't do anyone else's suggestions.
>  
> On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote:
> 
> 
> 
> Thanks for taking notes. Tom and I will revise the text to incorporate what we heard on today's call. Much of the focus was on the edge cases of mashups and inadvertantly embedded content - which strongly suggests to me that we're very close to consensus.
>  
> The two outstanding high-level concerns that I recall are:
>  
> 1) Are the standards we provide workable in practice? I believe close calls will be very rare, and only companies gaming the margin would have to consider surveying users. Heather was less sure. Heather, could you suggest a few common use cases that lead to a difficult analysis under the draft's standards?
>  
> 2) Shane suggested (and a few supported) moving to a user-is-able-to-discover-information standard for what's a party and what's a first or third party. Shane, could you briefly sketch what this standard might look like and give a few examples where it would work a different result from our user expectations standard?
>  
> Jonathan
> 
> On Jan 4, 2012, at 1:27 PM, David Singer <singer@apple.com> wrote:
> 
> Here are my comments/suggestions, after this morning's call.
>  
> 1) section 2.1.  Make clear that the user is a party, or specifically say that the definition defines parties that may be 1st or 3rd.
>   also raise an issue for a clear definition of what falls into the 2nd party?? (e.g. software or other agents acting on the user's behalf??)
>  
> 2) section 2.1.  Consider adding the condition that two separate legal entities cannot be considered a single party (in our context).
>  
> 3) section 2.1.  Add an issue that we may want to strengthen the definition to the point where it is testable.
>  
> 4) section 4.1.  Make the definitions of what is a 1st party a list of conditions, all of which apply.
>  
> 5) section 4.1.  Add to the list of conditions:
>   a) the user must be directly aware of the existence and identity of a separate entity, prior to their interaction.
>   b) the user's makes an independent choice to communicate/interact with the entity.
>  
> Counter-examples to (a) are a weather or other widget with no obvious branding or other evidence to show it came from another organization or entity; the user is not aware of a separate identity behind it.
> Counter-examples to (b) are where sites are mash-ups of unpredictable sources; the user, by visiting the mash-up, chose only the mashing site as the first party; until the user interacts further, the mashed sites are third parties (and rule (a) applies as well - the user must be aware that they are mashed in, and not sourced by the mashing site).
>  
>  
>  
>  
> On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote:
> 
> 
> 
> Tom and I have worked for several weeks on a comprehensive draft of the sections delineating first parties and third parties.  We attempted to reflect the approaching-consensus discussion at Santa Clara and on the email list.  Our draft includes both operative standards language and non-normative explanation and examples.  The text is formatted with the W3C template to better resemble how it would appear in the final document; please note that this is not an Editor's Draft (as the template might suggest).
>  
> Jonathan
>  
> <parties-draft-jm-tl.html>
>  
>  
> David Singer
> Multimedia and Software Standards, Apple Inc.
>  
>  
> David Singer
> Multimedia and Software Standards, Apple Inc.
>  
> 
> 
>  
> --
> 
>  
>  
Received on Saturday, 7 January 2012 23:49:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:43 UTC