- From: Jonathan Mayer <jmayer@stanford.edu>
- Date: Tue, 13 Mar 2012 21:30:38 -0700
- To: Sean Harvey <sharvey@google.com>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-Id: <74BEBBD7-349C-457B-A662-08F3F43D39D6@stanford.edu>
Sean, I've heard both you and Heather express hesitation to adopt a branding approach. To situate the discussion, we've had (for some time) four options for delineating parties and first parties vs. third parties: domain names, corporate affiliation, branding, and user expectations. See http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html. Domain names have been, I think it's very fair to say, thoroughly rejected as over- and underinclusive. Corporate affiliation is a deal breaker for many privacy advocates given how it has been abused in other privacy regulatory regimes. Many industry participants view a user expectations approach as unworkable. (I disagree, and despite persistent grousing I *still* have not seen a concrete example of how the approach is unworkable.) Branding is the only option that remains, and the discussion surrounding ACTION-123 and ACTION-124 both on- and off-list was very positive. Given that context, could you please explain your concern and propose a better option? Jonathan On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote: > Just to be very clear we absolutely do not have consensus on 2 or 3, nor are we near consensus on those points. Easy discoverability was the main issue to my knowledge. > > > On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu> wrote: > We agreed in Brussels that: > > 1) If two entities are not related by corporate affiliation, they are not part of the same party. > > From discussion on the mailing list, I think we are very close to consensus on three other points: > > 2) Branding should determine party boundaries. > > 3) Branding should determine first parties and third parties. > > 4) An entity must make "discoverable" the other entities that it considers part of the same party. > > We do not have consensus on a final issue: > > 5) If two entities are related by corporate affiliation, are they part of the same party? > > I've taken a stab at text that captures these five points. It is based on the current TCS document, the DAA principles, my proposal with Tom, and the CDT proposal. > > -------------------------------------------------- > > I. Definitions > > A. Network Interaction > A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic. > > B. Entity > An "entity" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person. > > C. Affiliation > If an entity holds significant ownership in or exercises significant operational control over another entity, they are "affiliated." > > D. Party > A "party" is any group of entities that: > a) consistently presents common branding throughout each entity, and > b) is related by affiliation. > [there is debate over whether to flip the "and" to an "or"] > > E. First Parties and Third Parties > A "first party" is any party, in a specific network interaction, that brands content that occupies the full window. > A "third party" is any party, in a specific network interaction, that does not brand content that occupies the full window. > > II. Transparency Requirement > > A. Operative Text > A party must make reasonable efforts to ensure users can discover which entities it encompasses. > > B. Non-Normative Discussion > A list of entities in a privacy policy would ordinarily satisfy this requirement. > > > > > > -- > Sean Harvey > Business Product Manager > Google, Inc. > 212-381-5330 > sharvey@google.com
Received on Wednesday, 14 March 2012 04:31:08 UTC