RE: Parties and First Party vs. Third Party (ISSUE-10)

FWIW, I have run the "easily discoverable" language by 10 or so publishers and have found general support within our membership.  I need to get more feedback before I can say that the OPA will support.  Specifically, one company would probably hot-link the word "affiliate" within the privacy policy, which would take the user to a page where all of the affiliates would be listed.  Maintaining one page would be much easier to implement for companies as opposed to frequently altering their privacy policy.

But, I think we should have a discussion about the broader landscape.  Clearly, Europe and the US are moving in different directions and both have unique definitions of parties.  If I understand correctly, the EU doesn't even address parties per se.  Even if we could blend the two approaches (good luck with that!), I don't think there would be much point in doing so.  For one, most of industry is already complying with the DAA self-regulatory program (Zaneis, am I overstating that?).  Assuming that the DAA is able to craft a DNT solution with the browser companies, US companies are likely to adopt the DAA's DNT solution.  I don't see any way that publishers, advertisers, ad networks, et al would engineer for two different DNT standards.  The White House principles are not likely to go anywhere in Congress.  They could become part of the discussion within the NTIA's multi-stakeholder process, but that's going to play out over several years.  Likewise in Europe, I think companies are likely to pursue varied compliance strategies depending on their presence in Europe, risk of enforcement, business models/practices, etc.  I'm no expert on the EU, so I would be very interested to hear other perspectives here.  Seems to me that the W3C could be helpful here by providing a basic architecture/tools for companies to build compliance solutions instead of a "one-size fits all" approach.

All that said, I think the W3C can add real value to this landscape by focusing on the technical solution for DNT as opposed to spending inordinate amounts of time and hot air on these policy debates, which even after they are resolved aren't going to be adopted.  The technical side of DNT would be of tremendous value, however.  The EU and DAA have laid out principles, but have done little on the technical engineering side.  By laying out a technical standard, companies could incorporate the W3C's work into their EU compliance solutions and the DAA could incorporate the W3C's work into their standard.

Just my two cents.  Am I missing something here?

From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: Wednesday, March 14, 2012 10:17 AM
To: Mike Zaneis; Jonathan Mayer
Cc: Sean Harvey; Tracking Protection Working Group WG
Subject: RE: Parties and First Party vs. Third Party (ISSUE-10)

Jonathan,

As I work for a publically traded organization and this is a public email list I'm unable to provide financial details with respect to the cost of rebranding but did my best to convey a truthful order of magnitude of the costs involved in converting a corporate infrastructure from a single entity basis through either front-end (branding, marketing materials, web site design, user impact assessment, focus groups, collateral updates across the board, etc.) and/or back-end modification (separate data collection systems, separate storage systems, rewrite reporting systems to address separate data storage, create/modify/test back-end scripts to address data separation, divide internal teams access structures, create/implement internal programs to educate employees about new separation requirements, implement monitoring and compliance tools to enforce data separation, etc.).  When this is multiplied across all of the companies on the globe that will have a desire to implement DNT to advance enhanced consumer data protection tools, the cost is AT LEAST 100s of millions of dollars.

I echo Mike's confusion as I thought you had discussed corporate ownership as an acceptable 1st party definition in Brussels.

And to Mike's point, I've offered up the "easily discoverable" as a compromise position for industry with only anecdotal feedback from large brands and haven't had the opportunity or access to test this compromise across a larger pool of publishers.  I did this more as a testing ground to see if this could become acceptable to the working group prior to engaging in that significant of an endeavor.  If there is a hard-line that common branding is the end-point, then there will be no need for a larger survey of publishers in this area as we can be fairly confident most multi-brand publishers will not implement the W3C's DNT standard due to prohibitive costs surrounding the definition of a 1st party.

- Shane

From: Mike Zaneis [mailto:mike@iab.net]
Sent: Wednesday, March 14, 2012 4:15 AM
To: Jonathan Mayer
Cc: Shane Wiley; Sean Harvey; Tracking Protection Working Group WG
Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)

This is a strange conversation to me because I believe there was widespread support expressed at the Brussels meeting for corporate affiliation deciding the 1st party issue. This was part of the proposal Jonathan proposed that included corporate affiliation OR branding (and a couple of other possible factors).

If I am misremembering that entire discussion then I apologize and will simply state our position that corporate affiliation is the key determinate for what properties constitute a 1st party. I am not yet prepared to endorse even Shane's assertion of corporate affiliation + easy discovery as that proposal has not been widely vetted throughout the publisher community.

Mike Zaneis
SVP & General Counsel, IAB
(202) 253-1466

On Mar 14, 2012, at 1:51 AM, "Jonathan Mayer" <jmayer@stanford.edu<mailto:jmayer@stanford.edu>> wrote:
Time we can deal with - I would support a phase-in period from corporate affiliation to branding.

Expense is a different matter.  It would be helpful to hear from the other multi-brand businesses in the group how much they believe engineering support for DNT would cost.  Specifics would greatly assist in understanding; bald assertions like "[a]ny other solution will cost industry 100s of millions of dollars" do us little good.

I'll be very disappointed if industry participants newly decide, six months into this process and over a year into defining DNT, that *any* shift from status quo party boundaries is unacceptable.  But if that happens, we'll have to balance economics against privacy.  We would, after all, be considering a Do Not Track standard that necessarily allows information flows that violate user expectations and cross brand boundaries.

Jonathan

On Mar 13, 2012, at 9:54 PM, Shane Wiley wrote:

Jonathan,

We may need to take the pulse of those in industry again as I believe through further discussion that Industry is firmly on the side of corporate affiliation + easy discovery (single click).  Any other solution will cost industry 100s of millions of dollars globally to either rebrand all of their online efforts and/or reengineer back-end systems to develop separation between brands.  These appears to be a non-starter for an "easy implementable" goal as small and mid size publishers will be looking to larger publishers to provide the tools to implement DNT on their properties.  And most of the larger publishers in the world operate under a multi-brand structure and would likely not implement DNT due to the expense.  I personally wish it were less expensive to unwind several hundred years of branding strategy across the globe, but I don't believe that will be possible in the timeframe of this working group.

- Shane

From: Jonathan Mayer [mailto:jmayer@stanford.edu]
Sent: Tuesday, March 13, 2012 9:46 PM
To: Sean Harvey
Cc: Tracking Protection Working Group WG
Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)

Sean,

I don't doubt that many industry participants would greatly prefer a corporate affiliation standard, just as many civil society participants would greatly prefer a user expectations standard.  But we're now operating in the zone of compromise, where the relevant question is what stakeholders will accept.  And many participants, from both industry and civil society, have indicated they would accept branding.

Jonathan

On Mar 13, 2012, at 9:32 PM, Sean Harvey wrote:


Thanks Jonathan. I have been far from alone in espousing a corporate affiliation plus discoverability approach. As Shane from Yahoo and others have indicated on this list and in direct meetings, it is not the job of this standards committee to break up the multi-brand approach of many companies on the web. This is not an issue of my and Heather's objection, there is a broad disagreement with you on this topic that we can discuss further in a weekly meeting.


On Wed, Mar 14, 2012 at 12:30 AM, Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>> wrote:
Sean,

I've heard both you and Heather express hesitation to adopt a branding approach.

To situate the discussion, we've had (for some time) four options for delineating parties and first parties vs. third parties: domain names, corporate affiliation, branding, and user expectations.  See http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html.

Domain names have been, I think it's very fair to say, thoroughly rejected as over- and underinclusive.  Corporate affiliation is a deal breaker for many privacy advocates given how it has been abused in other privacy regulatory regimes.  Many industry participants view a user expectations approach as unworkable.  (I disagree, and despite persistent grousing I *still* have not seen a concrete example of how the approach is unworkable.)  Branding is the only option that remains, and the discussion surrounding ACTION-123 and ACTION-124 both on- and off-list was very positive.

Given that context, could you please explain your concern and propose a better option?

Jonathan

On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote:


Just to be very clear we absolutely do not have consensus on 2 or 3, nor are we near consensus on those points. Easy discoverability was the main issue to my knowledge.

On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu<mailto:jmayer@stanford.edu>> wrote:
We agreed in Brussels that:

1) If two entities are not related by corporate affiliation, they are not part of the same party.

>From discussion on the mailing list, I think we are very close to consensus on three other points:

2) Branding should determine party boundaries.

3) Branding should determine first parties and third parties.

4) An entity must make "discoverable" the other entities that it considers part of the same party.

We do not have consensus on a final issue:

5) If two entities are related by corporate affiliation, are they part of the same party?

I've taken a stab at text that captures these five points.  It is based on the current TCS document, the DAA principles, my proposal with Tom, and the CDT proposal.

--------------------------------------------------

I. Definitions

A. Network Interaction
A "network interaction" is an HTTP request and response, or any other sequence of logically related network traffic.

B. Entity
An "entity" is any commercial, nonprofit, or governmental organization, a subsidiary or unit of such an organization, or a person.

C. Affiliation
If an entity holds significant ownership in or exercises significant operational control over another entity, they are "affiliated."

D. Party
A "party" is any group of entities that:
a) consistently presents common branding throughout each entity, and
b) is related by affiliation.
[there is debate over whether to flip the "and" to an "or"]

E. First Parties and Third Parties
A "first party" is any party, in a specific network interaction, that brands content that occupies the full window.
A "third party" is any party, in a specific network interaction, that does not brand content that occupies the full window.

II. Transparency Requirement

A. Operative Text
A party must make reasonable efforts to ensure users can discover which entities it encompasses.

B. Non-Normative Discussion
A list of entities in a privacy policy would ordinarily satisfy this requirement.




--
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330<tel:212-381-5330>
sharvey@google.com<mailto:sharvey@google.com>




--
Sean Harvey
Business Product Manager
Google, Inc.
212-381-5330
sharvey@google.com<mailto:sharvey@google.com>