Re: Parties and First Party vs. Third Party (ISSUE-10)

Sean,

I've heard both you and Heather express hesitation to adopt a branding approach.

To situate the discussion, we've had (for some time) four options for delineating parties and first parties vs. third parties: domain names, corporate affiliation, branding, and user expectations.  See http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html.

Domain names have been, I think it's very fair to say, thoroughly rejected as over- and underinclusive.  Corporate affiliation is a deal breaker for many privacy advocates given how it has been abused in other privacy regulatory regimes.  Many industry participants view a user expectations approach as unworkable.  (I disagree, and despite persistent grousing I *still* have not seen a concrete example of how the approach is unworkable.)  Branding is the only option that remains, and the discussion surrounding ACTION-123 and ACTION-124 both on- and off-list was very positive.

Given that context, could you please explain your concern and propose a better option?

Jonathan
 
On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote:

> Just to be very clear we absolutely do not have consensus on 2 or 3, nor are we near consensus on those points. Easy discoverability was the main issue to my knowledge. 
> 
> 
> On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu> wrote:
> We agreed in Brussels that:
> 
> 1) If two entities are not related by corporate affiliation, they are not part of the same party.
> 
> From discussion on the mailing list, I think we are very close to consensus on three other points:
> 
> 2) Branding should determine party boundaries.
> 
> 3) Branding should determine first parties and third parties.
> 
> 4) An entity must make "discoverable" the other entities that it considers part of the same party.
> 
> We do not have consensus on a final issue:
> 
> 5) If two entities are related by corporate affiliation, are they part of the same party?
> 
> I've taken a stab at text that captures these five points.  It is based on the current TCS document, the DAA principles, my proposal with Tom, and the CDT proposal.
> 
> --------------------------------------------------
> 
> I. Definitions
> 
> A. Network Interaction
> A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic.
> 
> B. Entity
> An "entity" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person.
> 
> C. Affiliation
> If an entity holds significant ownership in or exercises significant operational control over another entity, they are "affiliated."
> 
> D. Party
> A "party" is any group of entities that:
> a) consistently presents common branding throughout each entity, and
> b) is related by affiliation.
> [there is debate over whether to flip the "and" to an "or"]
> 
> E. First Parties and Third Parties
> A "first party" is any party, in a specific network interaction, that brands content that occupies the full window.
> A "third party" is any party, in a specific network interaction, that does not brand content that occupies the full window.
> 
> II. Transparency Requirement
> 
> A. Operative Text
> A party must make reasonable efforts to ensure users can discover which entities it encompasses.
> 
> B. Non-Normative Discussion
> A list of entities in a privacy policy would ordinarily satisfy this requirement.
> 
> 
> 
> 
> 
> -- 
> Sean Harvey
> Business Product Manager
> Google, Inc. 
> 212-381-5330
> sharvey@google.com

Received on Wednesday, 14 March 2012 04:31:08 UTC