Re: Parties and First Party vs. Third Party (ISSUE-10)

All do respect to Jonathan (and I guess to Google) but I'm not sure I agree
with your application of the consumer expectation test here. I agree that a
heavy Internet user (or someone pursuing a higher degree in computer
science) might understand that YouTube is owned by Google. But I'm not sure
if someone in middle America who is not a heavy internet User would know
thisŠ.

Ironically, that same person in middle America (particularly if in Ohio)
might very well know that the Tide is owned by P&G.

And this is what makes these types of distinctions really difficult to
operationalize.



Cheers,

Alan Chapell
Chapell & Associates
917 318 8440


From:  Jonathan Mayer <jmayer@stanford.edu>
Date:  Fri, 16 Mar 2012 11:46:24 -0700
To:  Geoff Gieron - AdTruth <ggieron@adtruth.com>
Cc:  JC Cannon <jccannon@microsoft.com>, Jeffrey Chester
<jeff@democraticmedia.org>, "Amy Colando (LCA)" <acolando@microsoft.com>,
Shane Wiley <wileys@yahoo-inc.com>, Mike Zaneis <mike@iab.net>, Sean Harvey
<sharvey@google.com>, Tracking Protection Working Group WG
<public-tracking@w3.org>
Subject:  Re: Parties and First Party vs. Third Party (ISSUE-10)
Resent-From:  <public-tracking@w3.org>
Resent-Date:  Fri, 16 Mar 2012 18:47:01 +0000

Under a branding approach, YouTube and Google would belong in different
parties since they don't share branding.  Under a consumer expectations
approach, they would likely belong to the same party since many consumers
understand that YouTube is owned by Google.

This suggests to me another possible direction: a union of branding and user
expectations.  Branding would become, in essence, a concrete safe harbor for
satisfying the user expectations standard.

On Mar 16, 2012, at 11:02 AM, Geoff Gieron - AdTruth wrote:

> Jonathan ­ would appreciate some additional clarification if possibleŠ.based
> on your example below about consumers being aware of corporate parents ­ would
> this then state that companies like Google who have consolidated their privacy
> policies in order to deal with consumers in a clear manner under one policy ­
> also fall victim to the Tide/P&G example?
> 
> So where Admeld, Picasa, Doubleclick, YouTube, etcŠyou and Jeffrey are making
> the statement here in this conversation that Google cannot claim first party
> across all of it's properties due to average consumer awareness and knowledge?
> (example: Joe Consumer uses YouTube, but is not personally knowledgeable that
> YouTube.com <http://YouTube.com>  belongs to Google ­ thereforeŠYouTube is the
> first party and any ads coming from other Google entities will be classified
> as 3rd party when DNT is set by the consumer?)
> 
> Thanks for the help in clarification
>  
> Geoff Gieron
> Business Development Strategist
>  
> <B6D349F0-DB69-481C-A4A8-5CC1CDE1C45E[95].png>
>  
> O:   +1.480.776.5525
> M:  +1.602.418.8094
> ggieron@adtruth.com
> www.adtruth.com <http://www.adtruth.com>
> 
> 
> From: Jonathan Mayer <jmayer@stanford.edu>
> Date: Fri, 16 Mar 2012 10:40:56 -0700
> To: JC Cannon <jccannon@microsoft.com>
> Cc: Jeffrey Chester <jeff@democraticmedia.org>, "Amy Colando (LCA)"
> <acolando@microsoft.com>, Shane Wiley <wileys@yahoo-inc.com>, Mike Zaneis
> <mike@iab.net>, Sean Harvey <sharvey@google.com>, Tracking Protection Working
> Group WG <public-tracking@w3.org>
> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
> Resent-From: <public-tracking@w3.org>
> Resent-Date: Fri, 16 Mar 2012 17:41:32 +0000
> 
> I'd like to distinguish two objections JC just raised.
> 
> 1) It is excessively burdensome to require siloed information practices for
> the Tide brand (and other brands).  I imagine this is a conversation that will
> continue to play out.
> 
> 2) Users understand they are sharing data with Proctor & Gamble (and other
> corporate parents).  I don't think that's at all the case.  If it were, we
> wouldn't be debating affiliation vs. user expectations.
> 
> As for the practical impact of a branding standard, it's difficult to say.
> Some companies may choose to add corporate parent branding to their various
> web properties.  Other may decide to silo data.  Either would be an
> improvement in consumer awareness and control.
> 
> On Mar 16, 2012, at 10:32 AM, JC Cannon wrote:
> 
>> That position is not practical. Tide is not even a company. It should be
>> clear to the consumer that they are dealing with P&G. Are you suggesting that
>> P&G change the branding of all their sites?
>>  
>> JC
>>  
>> From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
>> Sent: Friday, March 16, 2012 10:28 AM
>> To: Amy Colando (LCA)
>> Cc: Shane Wiley; Jonathan Mayer; Mike Zaneis; Sean Harvey; Tracking
>> Protection Working Group WG
>> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>>  
>> P & G has many different data models for its brands.  The copyright notice
>> doesn't tell consumers what the individual brand's data practices are.
>> People may comfortable with interacting with Tide (and its social media
>> practices, for example).  But they won't know how P&G operationalizes its
>> data collection on its many diverse brands and respective campaigns:
>> http://www.pg.com/en_US/brands/all_brands.shtml
>>  
>> Tide is First party, not P&G.
>>  
>>  
>>  
>>  
>>  
>> Jeffrey Chester
>> Center for Digital Democracy
>> 1621 Connecticut Ave, NW, Suite 550
>> Washington, DC 20009
>> www.democraticmedia.org <http://www.democraticmedia.org/>
>> www.digitalads.org <http://www.digitalads.org/>
>> 202-986-2220
>>  
>> On Mar 16, 2012, at 1:08 PM, Amy Colando (LCA) wrote:
>> 
>> 
>> On ³branding,² can you please consider the example of
>> http://www.tide.com/en-US/index.jspx ?  The branding is ³Tide², but Tide is
>> not a legal entity, nor does it own web servers or contract with analytics
>> providers or ad networks.  Tide is a brand owned by Proctor & Gamble.  You
>> can see the P&G copyright notice at the bottom of the website, and the
>> privacy policy and legal terms both link directly to
>> http://www.pg.com/en_US/terms_conditions/index.shtml .
>>  
>> So who is the first party here?
>>  
>> From: Shane Wiley [mailto:wileys@yahoo-inc.com]
>> Sent: Wednesday, March 14, 2012 11:27 AM
>> To: Jonathan Mayer
>> Cc: Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
>> Subject: RE: Parties and First Party vs. Third Party (ISSUE-10)
>>  
>> Thank you for the clarification Jonathan ­ that helps me better understand
>> your perspective.
>>  
>> After speaking more with multi-brand publishers (most large publishers are
>> multi-brand but surprisingly there are a good amount of medium and small
>> advertisers that operate across multiple brands) and better understanding the
>> real costs to forcing a common branding standard for the 1st party
>> definition, you are correct that I support an affiliate standard and have
>> offered up the ³easily discoverable² addition to hopefully address concerns.
>>  
>> In the spirit of building a standard that will be implemented by industry, I
>> would recommend we state Affiliation + Easily Discoverable as a MUST in the
>> 1st party definition and push common branding as a SHOULD.
>>  
>> - Shane
>>  
>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>> Sent: Wednesday, March 14, 2012 10:57 AM
>> To: Shane Wiley
>> Cc: Mike Zaneis; Sean Harvey; Tracking Protection Working Group WG
>> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>>  
>> We agreed in Brussels that corporate affiliation is a *necessary* condition
>> for two entities to be part of the same party.
>>  
>> We did not agree that corporate affiliation is a *sufficient* condition for
>> two entities to be part of the same party.
>>  
>> To be clear: I have *never* said I would accept a corporate affiliation
>> standard.  In fact, the writeup I did with Tom dedicates some length to
>> pointing out the flaws in using affiliation.
>>  
>> On the contrary, I thought Shane had expressed substantial interest in a
>> branding approach.  But apparently he was only willing to accept "branding or
>> affiliation" - in other words, "affiliation."
>>  
>> Jonathan
>>  
>>  
>> On Mar 14, 2012, at 7:16 AM, Shane Wiley wrote:
>>  
>> 
>> Jonathan,
>>  
>> As I work for a publically traded organization and this is a public email
>> list I¹m unable to provide financial details with respect to the cost of
>> rebranding but did my best to convey a truthful order of magnitude of the
>> costs involved in converting a corporate infrastructure from a single entity
>> basis through either front-end (branding, marketing materials, web site
>> design, user impact assessment, focus groups, collateral updates across the
>> board, etc.) and/or back-end modification (separate data collection systems,
>> separate storage systems, rewrite reporting systems to address separate data
>> storage, create/modify/test back-end scripts to address data separation,
>> divide internal teams access structures, create/implement internal programs
>> to educate employees about new separation requirements, implement monitoring
>> and compliance tools to enforce data separation, etc.).  When this is
>> multiplied across all of the companies on the globe that will have a desire
>> to implement DNT to advance enhanced consumer data protection tools, the cost
>> is AT LEAST 100s of millions of dollars.
>>  
>> I echo Mike¹s confusion as I thought you had discussed corporate ownership as
>> an acceptable 1st party definition in Brussels.
>>  
>> And to Mike¹s point, I¹ve offered up the ³easily discoverable² as a
>> compromise position for industry with only anecdotal feedback from large
>> brands and haven¹t had the opportunity or access to test this compromise
>> across a larger pool of publishers.  I did this more as a testing ground to
>> see if this could become acceptable to the working group prior to engaging in
>> that significant of an endeavor.  If there is a hard-line that common
>> branding is the end-point, then there will be no need for a larger survey of
>> publishers in this area as we can be fairly confident most multi-brand
>> publishers will not implement the W3C¹s DNT standard due to prohibitive costs
>> surrounding the definition of a 1st party.
>>  
>> - Shane
>>  
>> From: Mike Zaneis [mailto:mike@iab.net]
>> Sent: Wednesday, March 14, 2012 4:15 AM
>> To: Jonathan Mayer
>> Cc: Shane Wiley; Sean Harvey; Tracking Protection Working Group WG
>> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>>  
>> This is a strange conversation to me because I believe there was widespread
>> support expressed at the Brussels meeting for corporate affiliation deciding
>> the 1st party issue. This was part of the proposal Jonathan proposed that
>> included corporate affiliation OR branding (and a couple of other possible
>> factors). 
>>  
>> If I am misremembering that entire discussion then I apologize and will
>> simply state our position that corporate affiliation is the key determinate
>> for what properties constitute a 1st party. I am not yet prepared to endorse
>> even Shane's assertion of corporate affiliation + easy discovery as that
>> proposal has not been widely vetted throughout the publisher community.
>> 
>> Mike Zaneis
>> SVP & General Counsel, IAB
>> (202) 253-1466
>> 
>> On Mar 14, 2012, at 1:51 AM, "Jonathan Mayer" <jmayer@stanford.edu> wrote:
>>> 
>>> Time we can deal with - I would support a phase-in period from corporate
>>> affiliation to branding.
>>>  
>>> Expense is a different matter.  It would be helpful to hear from the other
>>> multi-brand businesses in the group how much they believe engineering
>>> support for DNT would cost.  Specifics would greatly assist in
>>> understanding; bald assertions like "[a]ny other solution will cost industry
>>> 100s of millions of dollars" do us little good.
>>>  
>>> I'll be very disappointed if industry participants newly decide, six months
>>> into this process and over a year into defining DNT, that *any* shift from
>>> status quo party boundaries is unacceptable.  But if that happens, we'll
>>> have to balance economics against privacy.  We would, after all, be
>>> considering a Do Not Track standard that necessarily allows information
>>> flows that violate user expectations and cross brand boundaries.
>>>  
>>> Jonathan
>>>  
>>> On Mar 13, 2012, at 9:54 PM, Shane Wiley wrote:
>>> 
>>> 
>>> 
>>> Jonathan,
>>>  
>>> We may need to take the pulse of those in industry again as I believe
>>> through further discussion that Industry is firmly on the side of corporate
>>> affiliation + easy discovery (single click).  Any other solution will cost
>>> industry 100s of millions of dollars globally to either rebrand all of their
>>> online efforts and/or reengineer back-end systems to develop separation
>>> between brands.  These appears to be a non-starter for an ³easy
>>> implementable² goal as small and mid size publishers will be looking to
>>> larger publishers to provide the tools to implement DNT on their properties.
>>> And most of the larger publishers in the world operate under a multi-brand
>>> structure and would likely not implement DNT due to the expense.  I
>>> personally wish it were less expensive to unwind several hundred years of
>>> branding strategy across the globe, but I don¹t believe that will be
>>> possible in the timeframe of this working group.
>>>  
>>> - Shane
>>>  
>>> From: Jonathan Mayer [mailto:jmayer@stanford.edu]
>>> Sent: Tuesday, March 13, 2012 9:46 PM
>>> To: Sean Harvey
>>> Cc: Tracking Protection Working Group WG
>>> Subject: Re: Parties and First Party vs. Third Party (ISSUE-10)
>>>  
>>> Sean,
>>>  
>>> I don't doubt that many industry participants would greatly prefer a
>>> corporate affiliation standard, just as many civil society participants
>>> would greatly prefer a user expectations standard.  But we're now operating
>>> in the zone of compromise, where the relevant question is what stakeholders
>>> will accept.  And many participants, from both industry and civil society,
>>> have indicated they would accept branding.
>>>  
>>> Jonathan
>>>  
>>> On Mar 13, 2012, at 9:32 PM, Sean Harvey wrote:
>>> 
>>> 
>>> 
>>> 
>>> Thanks Jonathan. I have been far from alone in espousing a corporate
>>> affiliation plus discoverability approach. As Shane from Yahoo and others
>>> have indicated on this list and in direct meetings, it is not the job of
>>> this standards committee to break up the multi-brand approach of many
>>> companies on the web. This is not an issue of my and Heather's objection,
>>> there is a broad disagreement with you on this topic that we can discuss
>>> further in a weekly meeting.
>>>  
>>>  
>>> 
>>> On Wed, Mar 14, 2012 at 12:30 AM, Jonathan Mayer <jmayer@stanford.edu>
>>> wrote:
>>> Sean,
>>>  
>>> I've heard both you and Heather express hesitation to adopt a branding
>>> approach.
>>>  
>>> To situate the discussion, we've had (for some time) four options for
>>> delineating parties and first parties vs. third parties: domain names,
>>> corporate affiliation, branding, and user expectations.  See
>>> http://lists.w3.org/Archives/Public/public-tracking/2011Oct/0343.html.
>>>  
>>> Domain names have been, I think it's very fair to say, thoroughly rejected
>>> as over- and underinclusive.  Corporate affiliation is a deal breaker for
>>> many privacy advocates given how it has been abused in other privacy
>>> regulatory regimes.  Many industry participants view a user expectations
>>> approach as unworkable.  (I disagree, and despite persistent grousing I
>>> *still* have not seen a concrete example of how the approach is unworkable.)
>>> Branding is the only option that remains, and the discussion surrounding
>>> ACTION-123 and ACTION-124 both on- and off-list was very positive.
>>>  
>>> Given that context, could you please explain your concern and propose a
>>> better option?
>>>  
>>> Jonathan
>>>  
>>> On Mar 13, 2012, at 9:13 PM, Sean Harvey wrote:
>>> 
>>> 
>>> 
>>> 
>>> Just to be very clear we absolutely do not have consensus on 2 or 3, nor are
>>> we near consensus on those points. Easy discoverability was the main issue
>>> to my knowledge.
>>>  
>>> 
>>> On Wed, Mar 14, 2012 at 12:10 AM, Jonathan Mayer <jmayer@stanford.edu>
>>> wrote:
>>> We agreed in Brussels that:
>>> 
>>> 1) If two entities are not related by corporate affiliation, they are not
>>> part of the same party.
>>> 
>>>> >From discussion on the mailing list, I think we are very close to
>>>> consensus on three other points:
>>> 
>>> 2) Branding should determine party boundaries.
>>> 
>>> 3) Branding should determine first parties and third parties.
>>> 
>>> 4) An entity must make "discoverable" the other entities that it considers
>>> part of the same party.
>>> 
>>> We do not have consensus on a final issue:
>>> 
>>> 5) If two entities are related by corporate affiliation, are they part of
>>> the same party?
>>> 
>>> I've taken a stab at text that captures these five points.  It is based on
>>> the current TCS document, the DAA principles, my proposal with Tom, and the
>>> CDT proposal.
>>> 
>>> --------------------------------------------------
>>> 
>>> I. Definitions
>>> 
>>> A. Network Interaction
>>> A "network interaction" is an HTTP request and response, or any other
>>> sequence of logically related network traffic.
>>> 
>>> B. Entity
>>> An "entity" is any commercial, nonprofit, or governmental organization, a
>>> subsidiary or unit of such an organization, or a person.
>>> 
>>> C. Affiliation
>>> If an entity holds significant ownership in or exercises significant
>>> operational control over another entity, they are "affiliated."
>>> 
>>> D. Party
>>> A "party" is any group of entities that:
>>> a) consistently presents common branding throughout each entity, and
>>> b) is related by affiliation.
>>> [there is debate over whether to flip the "and" to an "or"]
>>> 
>>> E. First Parties and Third Parties
>>> A "first party" is any party, in a specific network interaction, that brands
>>> content that occupies the full window.
>>> A "third party" is any party, in a specific network interaction, that does
>>> not brand content that occupies the full window.
>>> 
>>> II. Transparency Requirement
>>> 
>>> A. Operative Text
>>> A party must make reasonable efforts to ensure users can discover which
>>> entities it encompasses.
>>> 
>>> B. Non-Normative Discussion
>>> A list of entities in a privacy policy would ordinarily satisfy this
>>> requirement.
>>> 
>>> 
>>> 
>>> 
>>> 
>>>  
>>> -- 
>>> Sean Harvey
>>> Business Product Manager
>>> Google, Inc. 
>>> 212-381-5330 <tel:212-381-5330>
>>> sharvey@google.com
>>>  
>>> 
>>> 
>>>  
>>> -- 
>>> Sean Harvey
>>> Business Product Manager
>>> Google, Inc. 
>>> 212-381-5330
>>> sharvey@google.com
>>  
> 
> The information contained in this e-mail is confidential and/or proprietary of
> AdTruth. The information transmitted herewith is intended only for use by the
> individual or entity to which it is addressed. If you are not the intended
> recipient, you should not copy, distribute, disclose or use the information it
> contains, please e-mail the sender immediately and delete this message from
> your system.