Re: Third parties should not pretend to be first parties from Justin Brookman on 2012-03-01 (public-tracking@w3.org from March 2012)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 29 Feb 2012 22:53:51 -0500
To: public-tracking@w3.org
Message-ID: <20120301035351.907f7303@mail.maclaboratory.net>
There is already an entire section of the compliance spec on this exact issue --- 4.4.2 Exception for Outsourcing.  Is there any reason that exception does not address everyone's concerns, rather than resorting to the fiction that service providers are the same entity as the first party (despite an earlier definition of party that says otherwise)?

If the current exception for outsourcing is not sufficient, I would suggest just revising that to address the problem instead of torturing the definition of "party."
  _____  

From: Joanne Furtsch [mailto:jfurtsch@truste.com]
To: Shane Wiley [mailto:wileys@yahoo-inc.com], Roy T. Fielding [mailto:fielding@gbiv.com], Jonathan Mayer [mailto:jmayer@stanford.edu]
Cc: Tom Lowenthal [mailto:tom@mozilla.com], public-tracking@w3.org [mailto:public-tracking@w3.org]
Sent: Wed, 29 Feb 2012 22:24:07 -0500
Subject: Re: Third parties should not pretend to be first parties

Agree Service Provider should be defined since they would show up as a
  third party but are acting on behalf of a first party in essence making
  them a first party. It is a special category of third party.  Here is a
  proposed Service Provider definition as a starting point.
  
  "Service Provider" is anyone other than the First Party that performs, or
  assists in the performance of a function or activity that may involve the
  collection, use, and disclosure of data. Such use must only be on behalf
  and at the instruction of the First Party, and only for the purpose of
  performing or assisting in that specific function or activity as agreed to
  by the First Party.
  
  
  On 2/29/12 6:41 PM, "Shane Wiley" <wileys@yahoo-inc.com> wrote:
  
  >I agree with both sides and suggest we set forth the definition of a
  >Service Provider as a separate and distinct, "special" kind of 3rd party
  >that is able to be treated as a 1st party if the appropriate conditions
  >are met (contractual relationship, data segregation, etc.).  This will
  >meet the reality of online business operations today AND provide a
  >construct such that Service Providers are not confused in language
  >directed at actual 3rd parties.  Fair?
  >
  >1st Party
  >3rd Party
  >Service Provider (3rd Party acting as a 1st Party)
  >Widget (1st Party on 3rd Party sites)
  >
  >- Shane
  >
  >-----Original Message-----
  >From: Roy T. Fielding [mailto:fielding@gbiv.com]
  >Sent: Wednesday, February 29, 2012 7:29 PM
  >To: Jonathan Mayer
  >Cc: Tom Lowenthal; public-tracking@w3.org
  >Subject: Re: Third parties should not pretend to be first parties
  >
  >On Feb 29, 2012, at 6:00 PM, Jonathan Mayer wrote:
  >
  >> The provisions on outsourcing are not "overly simplistic" in the
  >>slightest.  The group worked through them at Santa Clara, on the list,
  >>and on multiple calls.  We've talking through myriad hypotheticals,
  >>including service providers like a cloud computing platform.
  >> 
  >> Unless you have a new use case, I think this is all long since closed.
  >
  >Those sections are marked as PENDING REVIEW in the document, and the
  >particular issue we are talking about now (ISSUE-123) is still OPEN.
  >
  >Since neither of you are on the hook to implement this, I suggest
  >you pay attention to my concerns: I object to this wording if it
  >includes third parties acting as a first party.  A third-party acting
  >as a first-party may present itself as the first-party because it is
  >already constrained by the section defining "acting as a first-party".
  >
  >....Roy
  >
  >
  >
Received on Thursday, 1 March 2012 03:54:20 UTC