W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Draft Text on First Parties and Third Parties (ACTION-34, ISSUE-10, ISSUE-26, ISSUE-88)

From: Jonathan Mayer <jmayer@stanford.edu>
Date: Tue, 10 Jan 2012 14:28:04 -0800
Cc: public-tracking@w3.org
Message-Id: <8DF5BEEE-A3C5-4F42-8738-D942A1EB9457@stanford.edu>
To: Justin Brookman <justin@cdt.org>

On Jan 10, 2012, at 12:58 PM, Justin Brookman wrote:

> 
>> If I understand correctly, you are proposing two additional limits on first parties.  First, there can only be at most one first party per web page.  Second, if there is a first party for a web page, it can only be the party listed in the registration for the PS+1 in the browser's URL bar.  I have reservations about both of these limitations, but before going there, I want to make sure we're on the same page.
> Yes, that it my suggestion, though a visible browser URL bar is not necessary.  
>>>> On "with which the user intended to communicate":
>>>> Tom and I drafted objective definitions that require a universal, straightforward, testable judgement about party divisions and party status.  Subjective standards are unworkable - we can't expect a website to understand each user's mental state.
>>> I don't see how "with which the user intended to communicate" is any more subjective than "that can infer with high probability that the user knowingly and intentionally communicated with it."  I'm not wedded to my language, but I think tying intent to the specific domain the user's trying to get to instead of the more vague concept of who the user is might be trying to "communicate with" on any given domain is more precise and will make implementation simpler.
>> 
>> I want to unpack two points here.
>> 
>> First, on subjectivity vs. objectivity: The text Tom and I drafted is objective.  It *does not* ask a website to understand each user's mental state.  Rather, it expects a website to have an understanding of how its audience, in the aggregate, expects to interact with it.  In almost all cases the answer is very straightforward.  The text you are proposing, on the other hand, is subjective.  It *does* ask a website to know what each user is thinking.  That's clearly unworkable, and I understand why it's a non-starter for many around the table.
> Uh, I'm not sure how you interpret your definition as an objective aggregate subjective understanding and mine as an individualized subjective understanding since both refer to "the user" in any individual transaction.  I think both definitions are trying to get to a reasonable user's expectations in any specific scenario (which millions of users will go through individually).  Maybe: "A first party is, in a specific network interaction, the operator of the domain with which a reasonable user would have intended to communicate."  (Working group members have suggested corporate structure as a means to avoid subjective "reasonable expectations" around what constitutes a common "party," but I haven't seen an effort to come up with a truly objective test on which parties are first parties.)

I think we may be talking past each other.  I mean "objective" as that term is used in the American legal system (and many other legal systems).  Hornbook law in a number of areas applies an objective reasonableness test (often anthropomorphized as an "ordinary person," "reasonable person," or "average person").  To the extent there's a little play at the margin, Tom and I adopted the "average user" formulation to clarify that survey data would be adequate to make a determination.

>> Second, on your reliance on domains: I think it's unwise to turn our "first party" definition on what's in the URL bar.  Visible domain names - and URLs - are slowly going the way of the dinosaur.  Many browsers now feature a URL bar-free or URL bar-hidden mode, and mobile apps rarely show the user which websites they're communicating with.
> I don't care if the URL is visible or not.  As I understand how the web is structured, there is a primary domain that hosts the content of a particular page, and it may or may not embed third party content.  The operator of that domain is the first-party.  I am not a web developer so my understanding may well be wrong, but I haven't seen a use case that disabuses me of this notion yet (not saying they don't exist).

Three concerns.

First, if the URL bar is hidden, there may be a tenuous relationship between a webpage's domain and user expectations.  The user may have no idea which domain they've loaded content from.

Second, like the URL bar, the notion of a single, full-window webpage that embeds other resources is slowly fading.  Many apps (both mobile and desktop) load standalone frames or other resources over HTTP.  This is how the majority of mobile app ad libraries work, for example.

Third, I don't think it makes much sense to link our first party definition to domain registrations.  WHOIS information is often private, out of date, or just wrong (see https://community.icann.org/display/whoisreview/WHOIS+Background+Information).

I don't mean to be overly critical of the URL bar + WHOIS proposal.  I think it's a very useful rule of thumb that will give the right result in many - if not most - traditional webpage use cases.  I would strongly support clarifying that in the non-normative discussion.  (The current text reads: "There will almost always be only one party that the average user would expect to communicate with: the provider of the website the user has visited.")

>>> In practice, I don't believe passive tracking on third-party platforms is common.
>> 
>> Some platforms (e.g. Facebook) limit custom HTML, CSS, and JavaScript, mooting the issue.  But some (e.g. Tumblr) tout their support for tracking content - see http://www.tumblr.com/docs/en/google_analytics.  We will have to address this.
> I prefer the certainty provided by a one first-party model.

Could you explain your concerns more fully?  The language Tom and I drafted notes that there will "almost always be only one" first party, and multiple first parties only occur in "in rare cases."  I don't see much room for gaming that text.

> A first-party platform could still provide aggregate data about subdomain usage to their customers, whether calculated by the first party itself or a service provider (to the first party, not the third party).

Setting aside issues of user expectations (where research is needed), I imagine some platforms and platform users would have concerns about this outcome.  I'll leave that to others to articulate.


Received on Tuesday, 10 January 2012 22:31:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC