Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

Sorry to enter this debate pretty late but I must 
react to some of the remarks made in this thread.

How can you infer from Flick's webpage 
( that users *knowingly* and 
*intentionally* communicated with Yahoo if not 
even the Flickr's "About" page 
( clearly mentions 
its ownership relationship with "Yahoo"? And even 
if, to use John Simpson's words, there is a 
"growing awareness that Yahoo owns Flickr", it is 
definitely not sufficient to make it transparent 
for the user to clearly understand that 
relationship.  Neither does the privacy page 
clearly mention the company that is actually 
processing the user's personal information since 
it only reads, at the bottom of the page, and 
without any URL linking Yahoo's Privacy page:

"To find out how Yahoo! treats your personal 
information, please visit our Privacy Policy."
It is obviously Yahoo's intent not to clearly 
explain that relationship.  This could be because 
the company does not want to lose a share of its 
users who, as current Flickr users, for not 
having had a good experience with Yahoo in the 
past or for not wishing to merge their Flickr 
account with their Yahoo account, might decide to 
stop using them.

If I am a Flickr user since before Yahoo acquired 
Flickr, it is relevant to me to know whether it 
is Flickr itself or another company (Yahoo in 
this case) that ultimately collects, sells or 
otherwise uses my personal information.  It 
should be clear right from the start - and not 
after a couple of years - since my data has been 
disclosed to Yahoo as soon as it acquired Flickr.

This information is not clearly stated on the 
very pages where it should be mentioned: the 
"About" and "Privacy" pages.

Since the main aim of the DNT standard is to 
protect the legitimate interests of Internet 
users and consumers, there should be, as a 
minimum, clear information on any website that 
enables them to understand which company 
collects, uses and sells their personal 
information, and to make a decision about whether 
they agree to have that specific company do it.

The distinction between 1st and 3rd parties 
should be primarily drafted so as to take into 
account how transparent it is _for the user_ (and 
not for the company) to understand how his/her 
personal information is being processed 
(collected, used, sold, etc.).

>I quote from Section 3 of the TPE specification:
>"The goal of this protocol is to allow a user to 
>express their personal preference regarding 
>cross-site tracking to each server and web 
>application that they communicate with via HTTP, 
>thereby allowing each service to either adjust 
>their behavior to meet the user's expectations 
>or reach a separate agreement with the user to 
>satisfy all parties."
>(I would argue that this should be simply 
>"personal preference regarding tracking," but 
>that is besides the point here.)
>Clearly, based on the current iteration of the 
>specification, user expectations are the 
>foundation of the standard we're trying to 
>The beauty of Jonathan's and Tom's proposal is 
>that it recognizes the primary function of user 
>expectations and acknowledges that "Domain 
>names, branding, and corporate ownership may 
>contribute to, but are not necessarily 
>determinative of, user perceptions of whether 
>two parties are distinct."
>Yes, users' perceptions may evolve over time and 
>a good standard should allow that.  Example: a 
>few years ago, most users weren't aware of the 
>fact that Google owns YouTube. Now, despite a 
>lack of co-branding I'd say most users 
>understand this. I'd say there is probably a 
>growing awareness that Yahoo owns Flickr.
>"Affiliated sites" certainly doesn't offer a 
>clear standard.  What does affiliated mean? Is 
>an affiliated site a subsidiary,  a partner, a 
>site with whom one has a contractual agreement, 
>or perhaps even a site "affiliated" through 
>joint membership in a trade association?
>User perception is the key to providing users 
>with the privacy tools to which they are 
>entitled and in most cases sites can easily 
>determine whether they are 1st or 3rd parties. 
> If they are pushing the envelope, they do so at 
>their own risk.
>Finally, if a site has doubts about its status 
>or can't reasonably "infer with high probability 
>that the user knowingly and intentionally 
>communicated with it,"  there is a simple 
>solution: the site should behave as a compliant 
>third party site when encountering an enabled 
>DNT header and not collect and share the users's 
>On Jan 6, 2012, at 8:24 AM, Shane Wiley wrote:
>>The difficulty with attempting to apply a "user 
>>expectation" standard is that every user has a 
>>personal, individual expectation - driving by 
>>their own experiences, education, culture, and 
>>other factors.  Even as we attempt to aggregate 
>>"user expectations" to an "ordinary user" this 
>>too changes by market, demographic, etc. - AND 
>>- will change over time.  2012's average, 
>>ordinary, younger US web user will have a 
>>different set of expectations than that same 
>>user in 2017 - just 5 years from now.
>>I believe we should take a step back to look at 
>>the original problem we're attempting to solve 
>>for and take a more descriptive approach (vs. 
>>philosophically subjective one) to address 
>>where exceptions should be applied.  The main 
>>target for DNT is 3rd party ad networks and 
>>data aggregators - those collecting data across 
>>non-commonly branded or affiliated sites.  I 
>>don't believe the true intention here was to go 
>>after companies that operate multiple brands 
>>(grocery stores, pharmaceutical companies, 
>>media, etc.).  While we can each argue 
>>different points of view on the "expectation" 
>>of users in these scenarios, I suggest we go 
>>back to original goal of setting true 
>>3rd parties apart from "commonly operated 
>>There will be no ad network or DSP that will be 
>>able to claim it is a first party on any 
>>website other than its own (which consumers 
>>rarely visit).  And no true content provider is 
>>going to risk brand displacement or erosion by 
>>allowing any of those parties to co-brand on 
>>their properties.
>>So rather than continue this run into an 
>>endless black hole, I would suggest we define 
>>1st parties as Justin had put forth:  "A first 
>>party is, in a specific network interaction, 
>>the party that operates the domainŠ".
>>We can go further to suggest parties 
>>MUST/SHOULD make their brand available at a 
>>minimum of 1 click away through a common link 
>>and with unavoidable prominence (Privacy, About 
>>Our Ads, etc.).  This would cover both Flickr 
>>(which I'll continue to defend as obviously a 
>>Yahoo! branded product) and Disney which has 
>>bold, prominent branding in their privacy 
>>policy.  It would at the same time force those 
>>1st parties that don't make this information 
>>easy to find today change their approach to do 
>>so (in order to state they are DNT compliant).
>>Attempting to ask the entire world to alter 
>>branding strategies to accommodate DNT is most 
>>likely a non-starter and has significant impact 
>>in both offline and online scenarios 
>>(rebranding, legal/contract implications, 
>>signage, back-end programming, etc.).
>>- Shane
>>From: Jeffrey Chester [] 
>>Sent: Friday, January 06, 2012 7:37 AM
>>To: Amy Colando (LCA)
>>Cc: Jonathan Mayer; Heather West; Justin 
>>Brookman; <>
>>Subject: Re: Draft Text on First Parties and 
>>Third Parties (ACTION-34, ISSUE-10, ISSUE-26, 
>>User expectations is a reasonable standard and 
>>the fairest to users (and I also think 
>>management).  Such an approach places the 
>>responsibility on the managers of the site; 
>>they should be able to reasonably know whether 
>>a user can readily understand the data 
>>practices of the site.  Corporate ownership is 
>>inadequate, because sites are designed with 
>>different interests in mind, even if commonly 
>>owned.  For example, there isn't a standard 
>>landing page optimization design for such sites 
>>(note even on Flicker homepage the reduced 
>>typeface of Yahoo and its near absence at the 
>>rarely scrolled to privacy section at bottom; 
>>also the more prominent mention of both Google 
>>& Facebook.  This is an example of how 
>>confusing it may be to users).
>>I also believe the proposal on third party 
>>widgets, with weather used as an example, 
>>reflects the user expectation paradigm as well.
>>Jeffrey Chester
>>Center for Digital Democracy
>>1621 Connecticut Ave, NW, Suite 550
>>Washington, DC 20009
>>On Jan 5, 2012, at 9:19 PM, Amy Colando (LCA) wrote:
>>Not wishing to get in the way of Heather's 
>>reply, but I do want to identify one statement 
>>in Jonathans' response:
>>I do not believe that there was a 
>>near-consensus against corporate ownership as 
>>playing a part in the definitions, whether in 
>>Santa Clara or elsewhere (unless this happened 
>>on a call I missed).  I heard clear concerns 
>>raised about vague affiliate relationships, 
>>rather than agreement to discard the notion of 
>>direct corporate ownership altogether. Indeed, 
>>ownership could be quite useful in enforcement 
>>From: Jonathan Mayer [] 
>>Sent: Thursday, January 05, 2012 5:38 PM
>>To: Heather West
>>Cc: Justin Brookman; <>
>>Subject: Re: Draft Text on First Parties and 
>>Third Parties (ACTION-34, ISSUE-10, ISSUE-26, 
>>On Jan 5, 2012, at 2:39 PM, Heather West wrote:
>>From our perspective, we have a several issues 
>>with this latest draft as it stands, and no, we 
>>don't think it's workable - we need to make 
>>sure, as a group, that the language is clear 
>>and implementable if we hope to see any 
>>adoption of the standard. The current draft 
>>allows for enough vagueness that evolving and 
>>contradictory interpretations would be possible 
>>across multiple regulatory environments.
>>Which parts of the text do you find vague?  We 
>>attempted to draft it quite tightly.
>>The initial version of this issue language was 
>>short and easy to understand, and I think 
>>that's one of the reasons that we all liked it 
>>conceptually.This is long, hard to understand 
>>and open to multiple interpretations.
>>There are only six sentences of operative text 
>>in the draft.  Here they are, broken out:
>>A "party" is any commercial, nonprofit, or 
>>governmental organization, a subsidiary or unit 
>>of such an organization, or a person, that an 
>>ordinary user would perceive to be a discrete 
>>entity for purposes of information collection 
>>and sharing. Domain names, branding, and 
>>corporate ownership may contribute to, but are 
>>not necessarily determinative of, user 
>>perceptions of whether two parties are distinct.
>>A "network interaction" is an HTTP request and 
>>response, or any other set of logically related 
>>network traffic.
>>A "first party" is any party, in a specific 
>>network interaction, that can infer with high 
>>probability that the user knowingly and 
>>intentionally communicated with it. Otherwise, 
>>a party is a third party.
>>A "third party" is any party, in a specific 
>>network interaction, that cannot infer with 
>>high probability that the user knowingly and 
>>intentionally communicated with it.
>>I'm really having difficulty seeing what's 
>>"long," "hard to understand," or "open to 
>>multiple interpretations."  Especially relative 
>>to most other proposals that have been made, 
>>including the online advertising industry 
>>self-regulatory principles.
>>It also draws in many other active issues (definitional and otherwise)
>>I don't follow.  Tom and I addressed the ISSUEs 
>>we were tasked with covering - no more.
>>and takes them in directions other than the one 
>>that our original discussions indicated.
>>Also don't follow.  This seemed to us a 
>>straightforward implementation of the "user 
>>expectations" test.
>>An objective standard with respect to what a 
>>first party is critical, because companies and 
>>individuals who adopt this standard publicly 
>>are rightly expected by both the general public 
>>and regulators to do what they say. But the 
>>potential for evolving and variant 
>>interpretations of user perception and common 
>>branding make it unclear what is being signed 
>>up for exactly. I think we need a first party 
>>definition that is based on ownership (and 
>>being adequately clear in disclosing that 
>>ownership, whether in a privacy policy or in 
>>branding/logo/etc). This is an objective 
>>standard that allows websites to clearly 
>>understand what they are signing up for when 
>>they adopt DNT.
>>My understanding from Santa Clara and after was 
>>that there was a near-consensus against a 
>>corporate ownership/control/affiliation test. 
>> Tom and I articulated some of the reasons in 
>>our draft.  There's further discussion in the 
>>email threads ""Proposed First Party 
>>definition" and "Summary of First Party vs. 
>>Third Party Tests."
>>User perception is useful to think about and 
>>certainly should impact the way that we 
>>approach the spec, but it's unworkable to ask 
>>companies, developers, and hobbyists to work 
>>based on a spec that is this subjective. Does 
>>this mean that a website consisting solely of 
>>python coding resources is evaluated on a 
>>different standard than a porn site, simply 
>>because their 'average user' is different?
>>We drafted the text for a site-by-site user 
>>audience.  The standard could instead specify 
>>the Internet as a whole, a specific geography 
>>(e.g. the country where the site is located), 
>>or any other subdivision.
>>But I don't think the distinction matters in 
>>practice.  The overwhelming majority of use 
>>cases remain very clear.  It doesn't matter 
>>whether you're StackOverflow or Playboy - users 
>>don't expect to share data with wholly 
>>independent advertising, analytics, and social 
>>And do we have any kind of indication that 
>>users do or don't understand the things we're 
>>talking about? Perception and intention are 
>>vague and subjective. 
>>There have been quite a few academic and 
>>industry studies of what users understand about 
>>third-party web services.  Aleecia and others 
>>who have done this research - mind sharing a 
>>brief overview?
>>I'm also a bit worried that the requirement for 
>>prominent branding for diverse companies - 
>>think news websites -- might be required to 
>>co-brand themselves with all the other news 
>>sites in the network - increasing consumer 
>>confusion. When you're on Flickr it may be 
>>clear to the user that Yahoo uses data from 
>>Flickr as a first party, but when you're on 
>>Yahoo, do you need to prominently co-brand the 
>>site as Flickr too? And what if you also brand 
>>the site with a third party logo? Do they 
>>become first parties? 
>>These are among the reasons I do not favor a branding test.
>>An additional use case that illustrates the 
>>compleities involved is URL shorteners, assume 
>>that the user clicked on the shortened link. 
>>Why don't they expect that they are interacting 
>>with that party, ie the link shortener? What 
>>about the <> link shortener 
>>- is that branded in such a way that they know 
>>they are interacting with Google, even though 
>>that's not where they end up? How exactly do 
>>you assume that <> users 
>>don't interact 
>>with <> There are several 
>>scenarios here - the user does or doesn't see 
>>the URL, the user clicks on a link that is 
>>directed to the shortened URL which either does 
>>or doesn't indicate that it's a shortened link 
>>(but is likely to indicate the final 
>>destination of the shortened link). These 
>>either need to be fleshed out or we need to 
>>decide how to deal with shorteners as first 
>>Tom and I did not address URL shorteners in our 
>>draft.  ("ISSUE-97: A special rule for 
>>URL-shortening services remains an open issue 
>>and is not addressed in this proposal.")  I 
>>would support Justin's proposal for noting that 
>>a URL shortener is, in general, a third party. 
>> If that's a point of controversy, then let's 
>>keep the separate ISSUE and hold it for later.
>>How would a restriction on URL shorteners as 
>>redirection impact sites (often news sites) 
>>that redirect a human-readable URL 
>>to a machine readable URL 
>>(<> from 
>>a legacy CMS?
>>I don't understand this example.  For both 
>>URLS, News Site would be a first party.
>>Finally, on the topic of mash-ups, I think the 
>>mashup idea needs to be fleshed out and 
>>accounted for, simply because the incorporation 
>>of content on websites is common and useful. 
>>Even if it makes up a small percentage of web 
>>traffic today, this is an area of innovation 
>>that will probably increase greatly over time.
>>While I'm skeptical that mashups will become 
>>much more common, I completely agree that we 
>>should address them.  Like URL shorteners, if 
>>they're a point of controversy, let's mark an 
>>ISSUE and hold it until we settle the far more 
>>frequent use cases.
>>If Google, for example, wants to be DNT 
>>compliant, we need to account for this in the 
>>context of Google Reader.
>>Could you explain what you mean?  If a user 
>>visits Google Reader, it's a first party. 
>> Under the proposals that have been advanced, 
>>Google would not be responsible for third-party 
>>RSS content (and whatever's embedded in it).
>>And the many blogs I read are (many of whom 
>>have analytics and/or share buttons) by and 
>>large going to assume that they are first 
>>party, without concerning themselves with 
>>whether or not their content is being consumed 
>>via an aggregator. Figuring out where 
>>aggregators fit into this is key, and we should 
>>either say that a content feed that is 
>>proactively added by the user with the 
>>understanding that it will appear on the first 
>>party site (like Reader) is first party 
>>content, or that the first party is not 
>>responsible for the content of the page.
>>I see two analytical approaches to news 
>>aggregators: 1) treat them as a possible 
>>multiple first party scenario, or 2) consider 
>>them a species of the "what the hell, someone 
>>went and embedded all my content" problem 
>>discussed on yesterday's call.
>>Whatever the analytical approach, and whatever 
>>the result, I'm not particularly concerned 
>>about the privacy implications.  At most a news 
>>site and its embedded content learn one 
>>additional fact about a user - that they use a 
>>news aggregator.
>>I'd propose that, like for URL shorteners and 
>>mashups, we take the group's temperature on how 
>>to treat news aggregators.  If there's not 
>>consensus, let's create a new ISSUE and reserve 
>>it for later.  We shouldn't delay consensus on 
>>the major issues over a few edge cases.
>>Heather (and Sean)
>>On Thu, Jan 5, 2012 at 11:33 AM, Justin 
>><<>> wrote:
>>I would revise the definition of first party to 
>>"A first party is, in a specific network 
>>interaction, the operator of the domain with 
>>which the user intended to communicate."  I 
>>would remove the entire section about multiple 
>>first parties as I do not believe a realistic 
>>example has been presented where that would 
>>ever be the case.  In the example of the 
>>craigslist/Google Maps mashup, whichever of the 
>>two is the actual operator of the domain should 
>>be the first party and the other would be the 
>>third party (or, if an entirely different 
>>entity operates the mashup, as appears to be 
>>the case 
>>at <>, the 
>>operator of HousingMaps is the first party and 
>>craigslist and Google are third parties if 
>>they're present at all).  Third parties can 
>>still become first parties if their content is 
>>clearly branded and a user meaningfully 
>>interacts with the content.  Writing a spec for 
>>the extreme and unprecedented edge 
>>case <> will 
>>cause more uncertainty and invite abuse while 
>>not solving an actual problem.  Domains have 
>>one operator; until co-registration becomes an 
>>option, sticking with one first party makes 
>>I like David's proposed counterexample to 
>>4.1(a).  I believe my above suggestion should 
>>take the place of his counterexample to 4.1(b) 
>>(though both are designed to achieve the same 
>>On the call, we seemed to agree that it should 
>>be a necessary condition for an entity to be 
>>under common corporate control as the site 
>>operator in order to be a first party (or a 
>>third party who gets permission to track). 
>>Thus, I would revise the definition of party 
>>to: "A 'party' is any person or commercial, 
>>nonprofit, or governmental organization, as 
>>well as any person or organization that 
>>operates under the same corporate or 
>>governmental control as the party and 
>>[discoverability/branding/user perception --- 
>>whatever test we use]."
>>I will again make the argument that branding 
>>seems the more reasonable and concrete test 
>>here, and will provide the most certainty for 
>>users and companies, but I await Shane's pitch 
>>for why discoverability is sufficiently clear 
>>to users (or Jonathan's counterpitch on why 
>>"user perception" is sufficiently workable).
>>I would also add .url shortener services as a 
>>specific example of a third party with which 
>>the user was not intending to communicate.
>>Justin Brookman
>>Director, Consumer Privacy Project
>>Center for Democracy & Technology
>>1634 I Street NW, Suite 1100
>>Washington, DC 20006
>>tel <tel:202.407.8812>202.407.8812
>>fax <tel:202.637.0969>202.637.0969
>>On 1/4/2012 6:51 PM, Jonathan Robert Mayer wrote:
>>Understood. I took my own notes, and we'll work 
>>from the minutes. If others would like to write 
>>up their proposed changes, that would be most 
>>On Jan 4, 2012, at 3:46 PM, David Singer 
>>To be clear, I only provide the edits I 
>>personally suggested;  I think all of us were 
>>asked to be precise about what we were 
>>suggesting, and I didn't do anyone else's 
>>On Jan 4, 2012, at 15:42 , Jonathan Robert Mayer wrote:
>>Thanks for taking notes. Tom and I will revise 
>>the text to incorporate what we heard on 
>>today's call. Much of the focus was on the edge 
>>cases of mashups and inadvertantly embedded 
>>content - which strongly suggests to me that 
>>we're very close to consensus.
>>The two outstanding high-level concerns that I recall are:
>>1) Are the standards we provide workable in 
>>practice? I believe close calls will be very 
>>rare, and only companies gaming the margin 
>>would have to consider surveying users. Heather 
>>was less sure. Heather, could you suggest a few 
>>common use cases that lead to a difficult 
>>analysis under the draft's standards?
>>2) Shane suggested (and a few supported) moving 
>>to a user-is-able-to-discover-information 
>>standard for what's a party and what's a first 
>>or third party. Shane, could you briefly sketch 
>>what this standard might look like and give a 
>>few examples where it would work a different 
>>result from our user expectations standard?
>>On Jan 4, 2012, at 1:27 PM, David Singer 
>>Here are my comments/suggestions, after this morning's call.
>>1) section 2.1.  Make clear that the user is a 
>>party, or specifically say that the definition 
>>defines parties that may be 1st or 3rd.
>>   also raise an issue for a clear definition of 
>>what falls into the 2nd party?? (e.g. software 
>>or other agents acting on the user's behalf??)
>>2) section 2.1.  Consider adding the condition 
>>that two separate legal entities cannot be 
>>considered a single party (in our context).
>>3) section 2.1.  Add an issue that we may want 
>>to strengthen the definition to the point where 
>>it is testable.
>>4) section 4.1.  Make the definitions of what 
>>is a 1st party a list of conditions, all of 
>>which apply.
>>5) section 4.1.  Add to the list of conditions:
>>   a) the user must be directly aware of the 
>>existence and identity of a separate entity, 
>>prior to their interaction.
>>   b) the user's makes an independent choice to 
>>communicate/interact with the entity.
>>Counter-examples to (a) are a weather or other 
>>widget with no obvious branding or other 
>>evidence to show it came from another 
>>organization or entity; the user is not aware 
>>of a separate identity behind it.
>>Counter-examples to (b) are where sites are 
>>mash-ups of unpredictable sources; the user, by 
>>visiting the mash-up, chose only the mashing 
>>site as the first party; until the user 
>>interacts further, the mashed sites are third 
>>parties (and rule (a) applies as well - the 
>>user must be aware that they are mashed in, and 
>>not sourced by the mashing site).
>>On Dec 22, 2011, at 15:25 , Jonathan Mayer wrote:
>>Tom and I have worked for several weeks on a 
>>comprehensive draft of the sections delineating 
>>first parties and third parties.  We attempted 
>>to reflect the approaching-consensus discussion 
>>at Santa Clara and on the email list.  Our 
>>draft includes both operative standards 
>>language and non-normative explanation and 
>>examples.  The text is formatted with the W3C 
>>template to better resemble how it would appear 
>>in the final document; please note that this 
>>is not an Editor's Draft (as the template might 
>>David Singer
>>Multimedia and Software Standards, Apple Inc.
>>David Singer
>>Multimedia and Software Standards, Apple Inc.
>John M. Simpson
>Consumer Advocate
>Consumer Watchdog
>1750 Ocean Park Blvd. ,Suite 200
>Santa Monica, CA,90405
>Tel: 310-392-7041
>Cell: 310-292-1902

Cedric Laurant, Esq.
Mobile (Europe): +32 (0)470 64 16 59 [GMT+1]
Office tel. (USA): +1 (202) 470-6870
Twitter: @cedric_laurant & @security_breach

Received on Monday, 9 January 2012 10:14:05 UTC